Personal data protection

Persoanal data protection legislation law in the Republic of Moldova is currently undergoing massive changes with the purpose of adopting EU provisions and adapting them to national law.

Personal data processing requirements in European Union (EU) are set up now by EU General data protection regulation (GDPR) and in the Republic of Moldova the legislative framework consists of Law No. 133, as of July 8, 2011on the personal data protection.

During the past years the EU financed the „EU TWINNING PROJECT” in order to transpose the GDPR in the RM.

Personal data is any information that relates to an identified or identifiable living individual  such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Also, special category data personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation.

Legislation protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the legislation.

Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Controller – means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Joint controller – where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

Processor – means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

Processing of the personal data should be conducted by following the next rules:

  • To process data according to the general principles (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation,  integrity and confidentiality, accountability);
  • To process data according to the instances established by the law;
  • To be able to demonstrate compliance with all the requirements and principles.

Data subjects’ privacy rights:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object;
  8. Rights in relation to automated decision making and profiling.

When you are allowed to process data:

  1. The data subject gave the specific, unambiguous consent to process the data.
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party.
  3. In order to comply with a legal obligation of yours.
  4. In order to process the data to save somebody’s life. 
  5. Processing is necessary to perform a task in the public interest or to carry out some official function.
  6. You have a legitimate interest to process someone’s personal data.

Applicability:

General rule: the Law on the personal data protection is applicable every time there is a procession of personal data.

Exceptions:

  • Processing personal data for domestic purposes;
  • Processing unstructured paper records;
  • Processing anonymous data;
  • Processing data regarding the offenders or victims of war crimes, genocide and crimes against humanity.

Applicability of GDPR:

GDPR may be directly or indirectly applicable to any company established in Moldova if certain criteria of its activities with personal data processing take place.

The general sequence of criteria concerning GDPR applicability will be as following: a) economic activity b) that brings along personal data processing c) and which takes place in EU by means of Moldova company establishment in EU or d) by company that is established in Moldova, if processing is directed towards data subjects in EU.

Direct applicability:

  1. Company of Moldova – not established in EU, but personal data processing activities of relevant company (or entity) in Moldova are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.
  2. Company of Moldova – not established in EU, but personal data processing activities are related to the monitoring of data subject`s behavior as far as their behavior takes place within the EU.
  3. If a company registered of Moldova in EU member state has its daughter company, representative office or any other office that processes personal data within its economic activity in EU, then this office in EU will be treated as an establishment in EU and then GDPR applies at least to this office in EU.

Indirect applicability:

1. The company in Moldova operates as a processor for any other company in EU.

GDPR do not apply if the company is established in Moldova and processing relates only to the economic activity carried out in Moldova.

Main aspects in order to conform with legislation:

  1. Controllers and processors to undertake thorough reviews of their existing data policy cycle so as to clearly identify which data they hold, for what purpose and on what legal basis.
  2. Controller or processor has to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  3. Data protection impact assessment- to assess companies compliance with their data protection obligations and to identify any potential risks and mitigation strategies.
  4. Controller has to provide certain information on processing to data subject in case personal data are obtained directly from data subject or from third persons. 
  5. Controller and processor have to designate personal data protection officer in case when company processes special categories of personal data in large scale as core activities or the core activities of the relevant company consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
  6. In case of a personal data breach, the controller needs to notify it to the supervisory institution.

The competent authority in this field is the National Center for Personal Data Protection of the Republic of Moldova, it is an autonomous, public and independent authority.

The main objectives of the national authority is to defend the fundamental rights and freedoms of natural persons, especially the right for private life regarding the processing and cross-border transfer of personal data, organizing actions to prevent violations of the legislation in the field, including the rights of data subjects, guiding the data controllers in the context of the correct application of the legislation in the field and informing, raising awareness and educating the society on the importance of personal data protection.