In the history of the Republic of Moldova, the right to Personal Data Protection appears for the first time in the mid of 2000s as a part of the right to intimate, family, and private life guaranteed by Article 28 of the Constitution of the Republic of Moldova. Then, in 2007, it becomes a guaranteed individual right by Law on Personal Data Protection.
Further, in 2012, data protection right was consolidated by modernized provisions of the more contemporary Law No. 133 on Personal Data Protection which has transposed the European Union’s Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals about the Processing of Personal Data and the Free Movement of Such Data (‘Data Protection Directive’).
Taking into consideration the challenges brought by new digital realities, it was absolutely necessary to make the first steps in the context of transposing GDPR provision in Moldova’s legislation. Consequently, on January 10, 2022, important amendments were enacted to the Law on Personal Data and passed by Law No. 175 of November 11, 2021.
According to new regulations, controllers and processors were canceled from the obligation of notification of data processing activities. Prior to the approvement of the above-mentioned Amendments, the controller had the obligation to notify the NCPDP and specify the scope and categories of data processing, either personally or through the representatives authorized by them (i.e. processors) (Article 23(1) of the Law on Personal Data).
Under the Amendments and from the day thereof, the controller was relieved from this obligation. The controller was also relieved from the NCPDP notification obligation (similar to EU countries) and the obligation to specify the personal data filing systems related to processing, as well as possible relations with other processing operations of data or with other personal data filing systems, whether performed or not and if there are established on the territory of the Republic of Moldova.
Also, according to new provisions, were introduced the controller’s obligation to perform data protection impact assessment (‘DPIA’), taking into account the nature, scope, context, and purposes of the processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Before the processing, the controller shall carry out a DPIA of the envisaged processing operations on the protection of personal data. The data protection officer (‘DPO’) must issue an opinion on the performed DPIA. The Amendments have required the DPIA upon:
- a systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offenses referred to a natural person;
- systematic monitoring of a publicly accessible area on a large scale.
The assessment shall contain at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations concerning the purposes;
- an assessment of the risks to the rights and freedoms of data subjects;
- the measures envisaged addressing the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The NPCDP is yet to issue a list of the type of processing for which a DPIA must be performed by the controller. At the same time, the new amendments have further imposed the obligations of the controller and the processor to designate a DPO where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant.
The DPO shall be selected and appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO may be an employee of the controller, or the controller can outsource this activity through an agreement. The DPO shall not receive any instructions regarding the exercise of their tasks from the controller or the processor. The DPO may not be dismissed or sanctioned by the controller or the processor, they must directly report to the top management of the controller or the processor.
In addition, the right to transmit personal data from the Republic of Moldova to the European Economic Area has been established in accordance with the principle of free movement of data and to countries that ensure an adequate level of data protection. The national data protection authority will approve within 3 months the list of countries that ensure an adequate level of data protection, taking into account the recognition decisions issued by the European Union. In addition, a set of about 30 national regulations has been adjusted to comply with and comply with the requirements of data protection legislation.
Noteworthy, that the Republic of Moldova plans to improve the right to data protection and enforce citizens’ rights in the context of new digital realities, which does not stop here, as a full package of amendments is ready to be approved by the Republic of Moldova Parliament. Proposed amendments aim to fully transpose the GDPR provision in place and ensure citizens’ security within a newly established digital world.
This article is prepared by the Moldovan Association of ICT Companies (ATIC)