Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Moldova - Data Protection Overview
Back

Moldova - Data Protection Overview

January 2022

1. Governing Texts

Given the internationally recognised importance of the right to personal data protection, as well as the consecration of this right in the Constitution of the Republic of Moldova ('the Constitution') (in particular Article 28 of the Constitution which provides the right to intimate, family, and private life), starting from mid-2000 Moldovan lawmakers paid special attention to the personal right protection. So, the first dedicated law, enacted back in 2007, was pretty shortly replaced, back in April 2012, by a moderner Law No. 133 on Personal Data Protection ('the Law on Personal Data'). This Law has transposed the European Union's Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data ('Data Protection Directive').

In a new legislative reform spur, on 10 January 2022 important amendments to the Law on Personal Data were enacted, passed by the Law No. 175 of 11 November 2021 (only available to download in Romanian here) ('the Amendments'), which aim to partially transpose the GDPR.

1.1. Key acts, regulations, directives, bills

National instruments

Draft legislation

  • Draft Law on Video Media Regime (only available in Romanian here).

International instruments

1.2. Guidelines

The role of the National Center for Personal Data Protection ('NCPDP'), i.e. the national data protection authority, consists of issuing various subject-limited decisions and instructions (only available in Romanian here), whereby it provides the public with official opinions on particular personal data protection issues. From a more general and comprehensive standpoint, the NCPDP has also issued the following:

  • Instructions on the Processing of Personal Data in the Election Process (Order No. 03/1 of 28 February 2013) (only available in Romania here);
  • Instructions on the Processing of Personal Data in the Police Sector (Order of May 2013 (only available in Romanian here);
  • Instructions on the Processing of Personal Data in the Education Sector (Order No. 03 of 21 January 2015) (only available in Romanian here); and
  • Instructions on the Processing of Personal Data on Health Status (only available in Romanian here).

1.3. Case law

Under Moldovan law, except in relation to the parties to the dispute, court judgments have no binding character. This also applies to the Supreme Court of Moldova ('the Supreme Court'), which has the authority and responsibility to issue explanatory plenum judgments to unify the case law. So far, the Supreme Court has not issued any judgments on personal data protection issues.

2. Scope of Application

2.1. Personal scope

Article 1 of the Law on Personal Data states that its purpose is to ensure the protection of the rights and fundamental freedoms of natural persons with respect to the processing of personal data. Furthermore, Article 2 of the Law on Personal Data provides that it applies to activities performed by both controllers, and processors without prejudice to legal actions which could be initiated against the controller himself (Article 2 of the Law on Personal Data).

2.2. Territorial scope

The Law on Personal Data will apply if (Article 2(2) thereof):

  • the controller is established in the territory of the Republic of Moldova;
  • in the case of processing of personal data that is carried out within the diplomatic missions and consular offices of the Republic of Moldova, or where the controller is not established on national territory, such processing is situated in a place where national law applies by virtue of public international law; and
  • the controller is not established on national territory, but for purposes of processing personal data, makes use of equipment, automated or otherwise, situated on national territory, unless such equipment is used only for purposes of transit through national territory.

2.3. Material scope

The Law on Personal Data regulates legal relations arising during the processing operations of personal data, which form part of an evidence system or are intended to be included in such an evidence system (Article 2(1) of the Law on Personal Data).

In addition, the Law on Personal Data will apply where the processing of personal data is related to the prevention and investigation of criminal offences, enforcement of convictions, and other activities within criminal or administrative procedures according to law (Article 2(2) of the Law on Personal Data).

However, the Law on Personal Data does not apply where (Article 2(4) of the Law on Personal Data):

  • the processing of the personal data is carried out exclusively for personal and family purposes, and no violations of the rights of data subjects arise;
  • the processing of personal data is related to state secrets; and
  • the processing operations and cross-border transfer of personal data are related to perpetrators or victims of genocide, war crimes, and other crimes against humanity.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The NCPDP supervises compliance with legal requirements and discharges its functions with impartiality and independence (Article 19 of the Law on Personal Data).

3.2. Main powers, duties and responsibilities

The NCPDP's main duties include (Article 20(1) of the Law on Personal Data):

  • to supervise and monitor compliance with the legislation on personal data protection;
  • to order the suspension or cessation of personal data processing;
  • to make draft law proposals and cooperate with public authorities, the mass media, and non-governmental organisations, as well as with similar foreign institutions;
  • to collect and analyse annual activity reports of public authorities with regard to the protection of individuals in respect of personal data processing; and
  • to establish and conclude minutes on contraventions (with subsequent submission for approval to the Moldovan Courts) according to the Contravention Code of the Republic of Moldova No. 218-XVI of 24 October 2008 ('the Contravention Code').

The NCPDP's main competencies include (Article 20(2) of the Law on Personal Data):

  • to request and receive from natural or legal persons governed by public or private law, information necessary for the exercise of its duties;
  • to obtain from controllers the support and information necessary for the exercise of its duties;
  • to recruit specialists and experts in the activity of prior checking and control of the lawfulness of personal data processing in areas which require special expertise; and
  • to request from controllers the rectification, blocking, or destruction of personal data which are inaccurate or obtained unlawfully.

4. Key Definitions 

Data controller: The Law on Personal Data defines 'controller' as a natural or legal person governed by public or private law, including a public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Article 3 of the Law on Personal Data).

Data processor: The Law on Personal Data defines 'processor' as a natural or legal person governed by public or private law, including a public authority and its territorial subdivisions, which processes personal data on behalf and upon the instruction of the controller (Article 3 of the Law on Personal Data).

Personal data: The Law on Personal Data defines 'personal data' as any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (Article 3 of the Law on Personal Data).

Sensitive data: The Law on Personal Data employs the notion of 'special categories of data,' which is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, social affiliation, data concerning health or sex life, as well as data relating to criminal convictions, coercive measures, or administrative sanctions (Article 3 of the Law on Personal Data).

Health data: Not defined.

Biometric data: Not defined.

Pseudonymisation: The Law on Personal Data does not define 'pseudonymisation.' However, the Law on Personal Data defines 'depersonalisation of data' as the alteration of personal data so that details of personal or material circumstances can no longer be linked to an identified or identifiable natural person, or so that a link can only be made within an investigation with disproportionate efforts, expense, and use of time (Article 3 of the Law on Personal Data).

Consent: The Law on Personal Data defines 'consent' as any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 3 of the Law on Personal Data, as per the Amendments).

Data subject: The Law on Personal Data defines indirectly 'data subject' as an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (Article 3 of the Law on Personal Data).

Profiling: The Law on Personal Data, as per the Amendments, defines 'profiling' as a form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

5. Legal Bases

5.1. Consent

Article 5(1) of the Law on Personal Data establishes that personal data may be processed with the consent of the data subject. However, the consent given for personal data processing may be withdrawn at any time by the data subject, although such withdrawal is not retroactive (Article 5(2) of the Law on Personal Data).

Further to this, where the data subject is physically or legally incapable of giving their consent, the consent for the processing of personal data may be given in written by their legal representative (Article 5(3) of the Law on Personal Data). In case of death of the data subject, the consent for the processing of their personal data must be given in written by the successors of the same, where such consent has not been given by the data subject during life (Article 5(4) of the Law on Personal Data).

5.2. Contract with the data subject

Article 5(5)(a) of the Law on Personal Data states that the data subject's consent is not required where the processing is necessary for the performance of a contract to which the data subject is party, in order to take steps at the request of the data subject prior to entering into a contract.

5.3. Legal obligations

Article 5(5)(b) of the Law on Personal Data stipulates that the data subject's consent is not required where the processing is necessary to carry out an obligation of the controller under the Moldovan law.

5.4. Interests of the data subject

Article 5(5)(c) of the Law on Personal Data provides that the data subject's consent is not required where the processing is necessary in order to protect the life, physical integrity, or health of the data subject.

5.5. Public interest

Article 5(5)(d) of the Law on Personal Data establishes that the personal data subject's consent is not required where the processing is necessary for the performance of tasks carried out in the public interest or in the exercise of public authority prerogatives vested in the controller or in a third party to whom the personal data are disclosed.

5.6. Legitimate interests of the data controller

Article 5(5)(e) of the Law on Personal Data states that the data subject's consent is not required where the processing is necessary for the purposes of the legitimate interest pursued by the controller or by the third party to whom personal data is disclosed, except where such interest is overridden by the interests for fundamental rights and freedoms of the data subject.

5.7. Legal bases in other instances

Article 5(5)(f) of the Law on Personal Data stipulates that the data subject's consent is not required where the processing is necessary for statistical, historical, or scientific/research purposes, except where the personal data remains anonymous for a longer period of processing.

6. Principles

The controller is under the obligation to ensure that personal data is (Article 4(1) of the Law on Personal Data):

  • processed fairly and lawfully;
  • collected for specified, explicit, and legitimate purposes, and not further processed in a way that is incompatible with such purposes;
  • adequate, relevant, and not excessive in relation to the purposes for which it is collected and/or further processed;
  • accurate and, where necessary, kept up to date; and
  • kept in a form which allows identification of the data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

7. Controller and Processor Obligations

7.1. Data processing notification

Before the Amendments, the controller had the obligation, before carrying out the processing of personal data, to notify the NCPDP and specify the scope and categories of data processing, either personally or through the representatives authorised by them (i.e. processors) (Article 23(1) of the Law on Personal Data).

Pursuant to the Amendments and from the day thereof, the controller was relieved from this obligation. The controller was also relieved from the NCPDP notification obligation (similar to EU countries) and the obligation to specify the personal data filing systems related to processing, as well as possible relations with other processing operations of data or with other personal data filing systems, whether performed or not, and if there are established on the territory of the Republic of Moldova.

7.2. Data transfers

On 1 April 2022, the NCPDP announced that it had adopted Decision of the NCPDP No. 23 of 17 March 2022 on the approved list of states that ensure an adequate level of personal data protection (only available in Romanian here) ('the Decision'). The decision entered into effect on the date of publication. The decision outlines the following jurisdictions as providing an adequate level of protection:

  • Andorra
  • Argentina;
  • Canada;
  • the Faroe Islands;
  • Guernsey;
  • the State of Israel;
  • the Isle of Man;
  • Japan;
  • Jersey;
  • New Zealand;
  • the Republic of Korea;
  • Switzerland;
  • Uruguay; and
  • the United Kingdom of Great Britain and Northern Ireland.

Where a country is not recongised as providing an adequate level of protection, personal data may still be transferred but only if:

  • the processing takes place on the basis of an agreement or treaty signed between the Republic of Moldova and the country of destination;
  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or between the controller and a third party in the interest of the subject data;
  • the transfer is necessary in order to protect the vital interests of the data subject;
  • the transfer may be performed if journalistic, artistic, scientific, literary, or archival purposes are pursued in the public interest;
  • the transfer may be operated to other companies or organisations from the same group as the controller, provided that the corporate rules are observed, rules approved by the EEA countries, or those approved by the NCPDP;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise, or defence of legal claims; and 
  • if the transfer takes place under the standard agreement for the cross-border transfer of personal data, developed and approved by the NCPDP and concluded by the controller.

7.3. Data processing records

The Law on Personal Data does not impose an obligation on controllers to observe a minimum period of maintaining data processing records. However, given the general limitation period, data controllers and processors are recommended to maintain their data processing records for at least three years.

7.4. Data protection impact assessment

The Amendments have imposed the controller's obligation to perform data protection impact assessment ('DPIA'), taking into account the nature, scope, context, and purposes of the processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Prior to the processing, the controller shall carry out an DPIA of the envisaged processing operations on the protection of personal data. The data protection officer ('DPO') must issue an opinion on the performed DPIA. The Amendments have required the DPIA upon:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences referred to a natural person; and
  • a systematic monitoring of a publicly accessible area on a large scale.

The assessment shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

The NPCDP is yet to issue a list of the type of processing for which a DPIA must be performed by the controller.

7.5. Data protection officer appointment

The Amendments have further imposed the obligations of the controller and the processor to designate a DPO where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant.

The DPO shall be selected and appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO may be an employee of the controller, or the controller can outsource this activity through an agreement. The DPO shall not receive any instructions regarding the exercise of their tasks from the controller or the processor. The DPO may not be dismissed or sanctioned by the controller or the processor, they must directly report to the top management of the controller or the processor.

The main tasks of the DPO are:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to data protection legal framework;
  • to monitor compliance with the Law on Personal Data, other normative acts, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance;
  • to cooperate with the NCPDP; and
  • to act as the contact point for the NCPDP on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

7.6. Data breach notification

There are currently no particular provisions in national law on data breach notification, as described in the GDPR. There is a general obligation for the controller to notify the NCPDP on an annual basis all system security incidents. This is done by reporting every year no later than 31 January (Article 90 of the Resolution No. 1123/2010).

7.7. Data retention

The controller and processor must ensure that the data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. When the processing has finished, and there is no consent of the data subject for further data processing, the data must be (Article 11 of the Law on Personal Data):

  • destroyed;
  • transferred to another controller, only if the same purpose of processing applies; and/or
  • transformed into anonymised data for statistical purposes or for the purposes of historical or scientific research.

7.8. Children's data

Children's personal data may be processed without having to comply with certain special conditions. However, when the consent of the data subject is required, the controller is required to obtain it from the legal representative (e.g. parents) of the child (Article 5(3) of the Law on Personal Data). According to the general rules, a person is considered to have full legal capacity (i.e. considered as an adult) at the age of 18, subject to certain exceptions.

7.9. Special categories of personal data

The processing of personal data relating to criminal convictions, coercive procedural measures, or administrative sanctions may be carried out only by or under the control of public authorities, within the limits of their competences and on the conditions set by laws regulating these areas (Article 8(1) of the Law on Personal Data).

7.10. Controller and processor contracts

When data processing is carried out by a processor, the Law on Personal Data obliges the controller to choose a processor providing sufficient guarantees in respect of the technical security and organisational measures governing the intended processing, and that can ensure compliance with such measures (Article 30(2) of the Law on Personal Data).

The carrying out of processing by way of a processor must be governed by a contract or a binding legal act on the processor, which stipulates in particular (Article 30(3) of the Law on Personal Data):

  • that the processor shall act only on instructions from the controller; and
  • the controller's obligation to implement appropriate technical and organisational measures to protect personal data against the destruction, loss, alteration, blocking, disclosure, or access of personal data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing are incumbent on the processor.

8. Data Subject Rights

8.1. Right to be informed

Data directly collected from the data subject

The controller is obliged to provide the data subject with the following information (Article 12(1) of the Law on Personal):

  • the controller or processor's identity;
  • the purposes of the processing for which the data are intended;
  • the existence of the right of access to, and the right to rectify, the data concerning them; and
  • any further information, including the recipients or categories of recipients of data, whether replies to questions relating to the collection of personal data are obligatory or voluntary, as well as the possible consequences of failure to reply.

Data indirectly collected from the data subject

Article 12(2) of the Law on Personal Data establishes that where the personal data is not collected directly from the data subject, the controller or the processor must provide, at the time of data collection, or if a disclosure to the third parties is envisaged, no later than the time when the data is first disclosed, the data subject with information on the categories of personal data which are intended to be collected or disclosed. The controller or the processor must also provide the following information:

  • the controller or processor's identity;
  • the purposes of the processing for which the data are intended;
  • the existence of the right of access to, and the right to rectify, the data concerning them; and
  • any further information, including the recipients or categories of recipients of data.

This is not applicable where (Article 12(3) of the Law on Personal Data):

  • the data subject has already the information;
  • processing of personal data is carried out for statistical, historical, or scientific/research purposes;
  • provision of such information proves to be impossible or involves disproportionate effort towards the legitimate interest that might be violated; and
  • recording or disclosure of personal data is expressly stipulated by law.

8.2. Right to access

Article 13(1) of the Law on Personal Data states that data subjects have the right to obtain from the controller, upon request, without delay and free of charge, the following:

  • confirmation as to whether or not data relating to him/her is being processed, and information as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
  • communication to him/her, in an intelligible form and in a way that does not require additional equipment, of the data undergoing processing, and of any available information as to their source;
  • information on the logic involved in any automatic processing of data concerning the data subject;
  • information on legal consequences for the data subject generated by processing of these data; and
  • information on the exercise of the right of intervention upon the personal data.

8.3. Right to rectification

Article 14(a) of the Law on Personal Data states that data subjects have the right to obtain from the controller or their representative, on request and free of charge, the rectification of personal data, the processing of which does not comply with the Law on Personal Data, particularly where such data is incomplete or inaccurate in nature.

Article 14(b) of the Law on Personal Data further stipulates that the data subject may also request such rectification to be notified to any third parties to whom their personal data has disclosed, except where such notification provides to me impossible or involves a disproportionate effort towards the legitimate interest that might be violated.

8.4. Right to erasure

Article 14(a) of the Law on Personal Data states that data subjects have the right to obtain from the controller or their representative, on request and free of charge, the erasure of personal data, the processing of which does not comply with the Law on Personal Data, particularly where such data is incomplete or inaccurate in nature.

Article 14(b) of the Law on Personal Data further stipulates that the data subject may also request such erasure to be notified to any third parties to whom their personal data has disclosed, except where such notification provides to me impossible or involves a disproportionate effort towards the legitimate interest that might be violated.

8.5. Right to object/opt-out

Article 16(1) of the Law on Personal Data states that:

  • data subjects have the right to object, at any time and free of charge, on compelling legitimate grounds relating to his/her particular situation to the processing of personal data relating to him/her, save where otherwise provided by law; and
  • where there is a justified objection, the processing instigated by the controller may no longer involve such data.

Article 16(2) of the Law on Personal Data further stipulates that data subjects also have the right to right to object, at any time and free of charge, without any justification to the processing of personal data relating to him/her for the purpose of direct marketing. In this regard, the controller or processor is also obliged to inform the data subject about their right to object to such operation before his/her personal data are to be disclosed to third parties.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Any person shall have the right to request for the annulment, in whole or in part, of any individual decision which produces legal effects concerning his/her rights and freedoms, and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him/her, such as his/her performance at work, creditworthiness, conduct, or other similar aspects (Article 17(1) of the Law on Personal Data). However, a person may nevertheless be subject to automated decision-making if such decision is:

  • authorised by a law which also lays down measures to safeguard the data subject's legitimate interests; and
  • taken in the course of the entering into or performance of a contract, provided that the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied.

8.8. Other rights

Not applicable.

9. Penalties

Failure to observe the legal or regulatory requirements concerning the processing of personal data may entail various forms of personal and corporate liability. This is particularly manifested through the application of sanctions set forth in the Contravention Code and the Criminal Code of the Republic of Moldova (No. 985-XV of 18 April 2002) ('the Criminal Code'), but may also imply liability for damages occurred under civil law.

Among the harshest sanctions are fines of approx. €7,500 or the deprivation to hold an office or to carry out certain activities for a period of one year. Natural persons may be criminally charged for the illegal collection or dissemination of another person's legally protected information that amounts to a personal or family secret (Article 177 of the Criminal Code).

In particular, failure to comply with the main conditions for the processing, storage and use of personal data, shall be sanctioned with a maximum fine of approx. €750 and/or with the deprivation to carry out certain activities for a period of three years (Article 74 of the Contravention Code).

9.1 Enforcement decisions

Not applicable.