Cross-border transfer and free movement of personal data

source of image:

With the approval of Law no. 17/2007 on the protection of personal data, the legal requirement has established that personal data may be transferred across borders only if adequate stages of protection are provided, for instance:

1.To countries that ensure an adequate level of protection of personal data:

The willingness of the countries to ensure an adequate level of data protection fell within the competence of the National Center for the Protection of Personal Data (NCPPD), having as criteria: addressing and ratification of Convention no. 108 CONVENTION ON THE PROTECTION OF PERSONS WITH REGARD TO THE AUTOMATIC PROCESSING OF PERSONAL DATA, the existence of data protection legislation, the compatibility of such legislation with one of the Republic of Moldova or the existence of bilateral agreements with reference states, the existence of national protection authorities including if the principles regarding data protection (legality, relevance and non-excessiveness of data, well-defined purpose, etc.) are respected.

2.To countries that do not provide an adequate level of protection of personal data:

  • Requirement of the person’s consent;
  • When it is necessary to execute a contract to which the person belongs;
  • Defending the rights and freedoms or interests of the data subject or where the data are public;

According to the indicated rules, any cross-border transfer of data has to be authorized by the NCPPD, regardless of necessity to send a database or an email containing a copy of the identity document. These requirements seemed more declarative. The situation was complicated due to the reason that the NCPPD has a limited number of  people  (only 21 persons), who are not be able to ensure the authorization of the necessary data flow. Please note that there is no liability for non-compliance with these requirements.

In 2012, Law no. 17 was repealed and replaced by Law no. 133/2011 on the protection of personal data which has largely maintained the same legal requirements for the cross-border transfer of personal data, further establishing that each personal data controller shall notify the NCPPD and request the authorization of the cross-border transfer of data on a personal basis. If it was done, and in the case of a cross-border transfer contrary to these requirements, there was foreseen a contravention liability of up to $700.

For example, if a company from the Republic of Moldova signed a contract for hosting services for website, for example with the company Amazon, the NCPPD requested:

  1. To hold a paper contract (the NCPPD was not accepting electronic contracts conditions of electronic);
  2. The conclusion on paper of an annex to the contract or an instruction with the host service provider that includes specific personal data protection requirements that the host service provider undertakes to comply with in accordance with the provisions of Government Decision no. 1123/2011, such as: ensuring fire protection measures, keeping logs regarding the audit of the system for at least a period of 2 years, endowment with signaling, bars, metal door and other access control systems of the security perimeter where the data will be stored on the server, indicating all the locations where this data will be stored, including how to grant access rights, ensuring measures of confidentiality and integrity, indicating the types of data categories to be processed, recipients of this data, storage period, how the data subjects concerned will be informed, etc.);
  3. Completion of a form in the Electronic Register of personal data operators managed by NCPPD with the attachment of all documents in electronic format and presentation on paper either in original or duly authenticated by applying the wet stamp and signature on each page of the presented documents.

The cross-border transfer of personal data was prohibited with the risk of being sanctioned until the NCPPD would issue the decision to authorize the cross-border transfer. The maximum period in which the NCPPD had to issue a decision was 90 days from the moment of the application was submitted.

This procedure for authorizing the cross-border transfer was absolutely inappropriate and bureaucratic. Between 2012 and 2022, around 3 million of applications for registration and authorization were processed by the NCPPD as a personal data controller, of which, only about 3,500 personal data controllers are registered and authorized by now.

Moreover, although Law no. 133/2011 on the protection of personal data established that the NCPPD was entitled to establish the situations in which it is not necessary to authorize the processing of data, including in the case of cross-border transfer, the Authority did not use this prerogative.

The amendments also included: the establishment of the principle of free movement of data in the case of cross-border data transfer to the European Economic Area and the obligation of the NCPPD was to approve the list of countries that ensure an adequate level of data protection within 3 months.

Finally, currently, cross-border transfers to 44 states can be made in the Republic of Moldova:

From 10 January2022 European Economic Area countries
(art. 32 lin. (2) lit. a)Law 133/2011)  
From 01 April 2022  
Countries approved by the CNPDCP Decision
(art. 32 lin. (3) of Law
nr. 133/2011)  
Czech Republic;
The Netherlands;
Faroe Islands;
Isle of Man;
New Zealand;
Republic of Korea Switzerland;
United Kingdom of Great Britain and Northern Ireland

Leave a Reply