ATIC contributes to the strengthening of specialized communications on the topic of personal data protection

Within the ABA Rule of Law Initiative Project “Personal data protection – rights and obligations in the Republic of Moldova” during the period November 2021-July 2022, ATIC organized a series of information sessions and focus group discussions addressed to the topic of personal data protection with the representatives of the academia, public authorities and the private sector. The activity was facilitated by the national experts Sergiu Bozianu and Mocanu Veronica, as well as by two representatives of the National Center for Personal Data Protection. The event, carried out with the public authorities, was facilitated by the Electronic Government Agency and the National Center for the Protection of Personal Data.

The purpose of the activity was to identify the framework of problems that affect the good assurance of personal data protection in the Republic of Moldova and to identify solutions. At the same time, the discussions were complimented by the evolution of the regulations in the field, because during the month of November 2021 a set of about 30 laws which aimed to strengthen the regulatory framework of the digital field in general, but also of the field of data protection, were approved. In the end a real workshop with the participation of more than 100 representatives of public authorities was held.

The elaborated changes refer in particular to the partial transposition of some provisions of the General Data Protection Regulation (GDPR), which referred to:

1. Modification of the notion of consent of the subject of personal data (previously, consent could only be given in written form or in electronic format with an electronic signature);
2. Canceling the national requirements regarding the mandatory registration of all personal data controllers with the National Data Protection Authority;
3. Including the procedure for carrying out the assessment of the impact on the protection of personal data;
4. Carrying out prior consultation with the Personal Data Protection Authority;
5. Inclusion of the requirements regarding the mandatory holding of the person responsible for the protection of personal data.
6. Establishing the principle of free movement of personal data from the Republic of Moldova to all European Union states, including countries that ensure an adequate level of personal data protection (the list of countries that ensure an adequate level of personal data protection is similar to the one approved in the European Union).- amending the legislation regarding the electronic document and electronic signature, by recognizing all electronic signatures that are issued by providers in the European Union;- amending the legislation regarding labor relations, including legal provisions by which the employer can conclude and terminate employment contracts with employees with the application of an electronic signature, and the possibility of remote work without the need for physical presence in the office;- the amendment of the legislation regarding the registration of legal entities, in particular, legal provisions were included whereby the establishment and deletion of a legal company can also take place through electronic instruments (electronic signature).

As result of the discussions, it was found that the controllers of personal data are in difficulty and have uncertainties regarding the following aspects:

if the obligation to register with the Data Protection Authority has been cancelled, then public institutions and authorities, including companies in the private sector, are no longer personal data controllers, respectively, do they no longer have the right to process personal data?

• Has the national personal data protection authority been abolished?- Will the Personal Data Protection Impact Assessment be carried out by the Personal Data Protection Authority in relation to each company or public authority?
• The company administrator will be the person responsible for the protection of personal data.
• If the registration of the controller is no longer required, are the controllers required to develop a security policy and Regulation on the processing of personal data? Clear explanations and practical solutions were provided to all these questions and uncertainties, both by the national experts who were invited to hold a training course, and by the representatives of the National Authority for the Protection of Personal Data, it being explained that the new changes had the task of offering new modern tools for protecting personal data but also opportunities to capitalize on the benefits of information technologies, which allow us to act remotely both in the case of the administrative or economic activities of the personal data controllers  and from the point of view of labor relations.

Responding to the participants questions, the experts explained that the changes made do not exempt the controllers from the obligations to protect personal data, but on the contrary make them responsible, or they, on an individual level, will develop and apply data protection measures, in such a way as to prevent possible damages. At the same time, the resized role of the National Authority for the Protection of Personal Data was highlighted, which from a control body turns into a supervisory authority, who has to resize its activities in such a way as to be able to offer support and guidance to controllers in the process of developing personal data protection measures.

The focus group activity was welcomed by all the participants involved and as a final conclusion, were recommended the initiation and organization of discussions dedicated to the protection of personal data indifferent areas of activity, or the necessary protection actions to be taken vary from sector to sector. As a priority, it was decided to approach the protection of personal data in the context of the provision of health services, education, order and public security, prisons, etc.