DLA Piper Intelligence

Data Protection
Laws of the World

Law

Moldova
Moldova

The main national legal acts regulating personal data protection in Moldova are:

  • the Constitution of the Republic of Moldova (Article 28);
  • the Law No. 133 of 08 July 2011 on Personal Data Protection;
  • the Law No. 182 of 10 July 2008 regarding the approval of the National Centre for Personal Data Protection regulation, structure, staff-limit and its financial arrangements;
  • the Government Decision No. 296 of 15 May 2012 on the approval of the Regulation regarding the Register of evidence of the personal data controllers;
  • the Governmental Decision No. 1123 of 14 December 2010 on the approval of the requirements for the assurance of personal data security and their processing within the information systems of personal data.  

The law on Personal Data Protection is the core legal act establishing the legal framework of personal data protection in Moldova.  It has been adopted to harmonize the national regulations with the provisions of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 

In the near future we expect the adoption of a new Law on Personal Data Protection which will transpose the provisions of the GDPR with some adjustments to Moldovan conditions. 

Please note that Moldova is not an EU country and European provisions on personal data protection are not directly applicable in Moldova.

Last modified 14 Jan 2020
Law
Moldova

The main national legal acts regulating personal data protection in Moldova are:

  • the Constitution of the Republic of Moldova (Article 28);
  • the Law No. 133 of 08 July 2011 on Personal Data Protection;
  • the Law No. 182 of 10 July 2008 regarding the approval of the National Centre for Personal Data Protection regulation, structure, staff-limit and its financial arrangements;
  • the Government Decision No. 296 of 15 May 2012 on the approval of the Regulation regarding the Register of evidence of the personal data controllers;
  • the Governmental Decision No. 1123 of 14 December 2010 on the approval of the requirements for the assurance of personal data security and their processing within the information systems of personal data.  

The law on Personal Data Protection is the core legal act establishing the legal framework of personal data protection in Moldova.  It has been adopted to harmonize the national regulations with the provisions of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 

In the near future we expect the adoption of a new Law on Personal Data Protection which will transpose the provisions of the GDPR with some adjustments to Moldovan conditions. 

Please note that Moldova is not an EU country and European provisions on personal data protection are not directly applicable in Moldova.

Last modified 14 Jan 2020
Definitions

Definition of personal data 

Personal data is defined as “any information relating to an identified or identifiable natural person (“personal data subject”)”. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 

Definition of sensitive personal data 

Sensitive personal data is defined as special categories of personal data. Such special categories include data related to race, ethnic origin, political opinions, religious or philosophical beliefs, social belonging, data concerning health or sex life, as well as data relating to criminal convictions, administrative sanctions or coercive procedural measures.

Last modified 14 Jan 2020
Authority

The National Centre for Personal Data Protection (“NCPDP”) is the national data protection authority.  The permanent headquarters of the Centre are located in Chisinau, 48, Serghei Lazo str., MD-2004, T: +37322820801, F: +37322820807, www.datepersonale.md.

Last modified 14 Jan 2020
Registration

Under current regulations before starting any operations on processing of personal data the controller shall notify its processing to the NCPDP and register as data controller. 

The NCPDP is in charge of maintaining the Registry of Data Controllers.  The registration of the controller/ notification of processing is performed by the submission of a standard form notification to the NCPDP via their online platform. 

Separate notifications shall be submitted for each data filing system. 

The notification should contain the following information:

  • name and address in the Republic of Moldova of the controller and the processor, if any;
  • the purpose of processing;
  • the description of category of personal data subjects and of the data to be processed, as well as the sources of the data;
  • the existence of the personal data subject’s consent to the processing of data;
  • the way of informing of personal data subjects about their rights; estimated date for ending the processing operations, as well as further destination of personal data;
  • the recipients to whom the personal data is intended to be disclosed;
  • the guarantees for the transfer of personal data intended to take place;
  • persons responsible for the personal data processing. 

Along with the notification an applicant shall submit a set of justifying documents which clarifies the categories of processed data, purposes of the processing, duration, security measures implemented in the company, measures to guarantee the rights of the referred subjects, etc.

Last modified 14 Jan 2020
Data Protection Officers

The appointment of an internal data protection officer is required.

Last modified 14 Jan 2020
Collection & Processing

Personal data shall be processed with the consent of the personal data subject, unless an exception applies. 

The consent of the data subjects is not necessary where the processing is necessary for:

  • performance of a contract to which the personal data subject is party, in order to take steps at the request of the data subject prior to entering into a contract;
  • carrying out an obligation of the controller, under the law;
  • protection of the life, physical integrity or health of the personal data subject;
  • performance of tasks carried out in the public interest or in the exercise of public authority prerogatives vested in the controller or in a third party to whom the personal data is disclosed;
  • the purposes of legitimate interest pursued by the controller or by the third party to whom personal data is disclosed, except where such interest is overridden by the interests for fundamental rights and freedoms of the personal data subject;
  • statistical, historical or scientific-research purposes, except where the personal data remains anonymous for a longer period of processing 

Processing of special categories of personal data shall be prohibited, except for cases provided by the Law. 

Personal data undergoing processing must be:

  • processed fairly and lawfully;
  • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits the identification of personal data subjects for no longer than is necessary for the purposes for which the data was collected and further processed. 

The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the personal data, shall not disclose any information to a third party without the prior consent of the data subject unless one of the following exclusions applies:

  • processing relates to data which is voluntary and manifestly made public by the personal data subject;
  • the personal data is rendered anonymous. 

The controller must implement appropriate technical and organizational measures to protect personal data against destruction, alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data.

Last modified 14 Jan 2020
Transfer

Cross-border transfers of personal data undergoing processing or that is intended for processing after transfer may take place only with the authorization of the NCPDP, and only if the country in question ensures an adequate level of protection of personal data subjects’ rights and of the data intended for transfer. 

Where the Centre considers that the country of destination does not ensure an adequate level of protection, it shall prevent any transfer of data. 

The authorization of the cross-border transfer of data is not necessary if the transfer: 

  • is provided for under an international treaty to which Moldova is a signatory;
  • is carried out solely for journalistic, literary or artistic purposes, is such data that is voluntarily and manifestly made public by the personal data subject or if they are closely related to the personal data subject’s status of a public person or to the public nature of the acts in which it is involved. 

The Centre may authorise the transfer of personal data to a state which has legislation that does not ensure at least the same level of protection as that offered by the law of the Republic of Moldova, provided that the controller provides sufficient guarantees regarding the protection and the exercise of the personal data subjects’ rights. Such guarantees are to be provided in the data transfer agreements concluded by the controllers and natural or legal persons to which data is transferred.  

Besides the above, the cross border transfer of data to countries that do not ensure an adequate level of protection may be authorized if one of the following conditions is met: 

  • the data subject consents to the transfer;
  • if the transfer is necessary for the conclusion or performance of an agreement or contract concluded between the personal data subject and the controller or between the controller and a third party in the interest of the personal data subject;
  • if the transfer is necessary in order to protect the life, physical integrity or health of the personal data subject;
  • if the transfer is made from a register which according to the law is intended to provide information to the public and which is open to consultation either by the public or by any person who demonstrates a legitimate interest, to the extent that the conditions for consultation in particular cases laid down in law are fulfilled;
  • the transfer is necessary for the accomplishment of an important public interest, such as national defence, public order or national security, carrying out in good order a criminal trial or ascertaining, exercising or defending a right in court, on the condition that the personal data is processed solely in relation to this purpose and only for longer period is necessary to achieve it. 

Currently, no country is recognized as ensuring an adequate level of protection.  In most cases for authorization of transfer the NCPDP requests the consent of the data subject to the transfer and the signed data transfer agreement. 

The Republic of Moldova is not an EU member state. Thus, the standard clauses are not applicable. The Standard clauses may be used only as a data transfer agreement template and requires amendment to the local requirements.

Last modified 14 Jan 2020
Security

The controller must implement appropriate technical and organizational measures to protect personal data against destruction, alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data. 

Governmental Decision No. 1123 of 14 December 2010 on the approval of the requirements for the assurance of personal data security and their processing within the information systems of personal data is used as a reference for the minimum-security measures to be implemented by the controller. 

Last modified 14 Jan 2020
Breach Notification

Data controllers shall submit to the NCPDP an annual report on any security incidents involving information systems during that year.

Last modified 14 Jan 2020
Enforcement

The NCPDP is responsible for the enforcement of the Law on Personal Data Protection. The NCPDP is entitled to: 

  • carry out checks;
  • consider complaints from data subjects;
  • require the submission of necessary information about personal data processing by the data controller;
  • require the undertaking of certain actions according to the law by the data processor, including discontinuance of the processing of personal data;
  • file court actions;  

Violation of personal data protection legislation may result in administrative liability.  The maximum administrative penalty that can be imposed, as at the date of this review, is MDL (Moldovan lei) 15,000 which is about EUR 750.

If the violation has led to material or moral damages, the violator may be required by the court to reimburse such damages. 

The NCPDP may also suspend or prohibit the processing of data if the rules on personal data protection are breached.

Last modified 14 Jan 2020
Electronic Marketing

The Law on Electronic Commerce dated July 22, 2004 provides for certain legal requirements for distribution of commercial electronic messages in the area of electronic commerce. In particular:

  • commercial electronic messages are allowed only subject to the preliminary consent of a subscriber or addressee to receive such messages;
  • the recipient shall have easy access to information regarding the individual or legal entity sending the message;
  • commercial electronic messages regarding sales, promotional gifts, premiums etc. shall be unequivocally identified as such and the conditions for receiving of such promotions shall be clearly stated to avoid their ambiguous understanding.
Last modified 14 Jan 2020
Online Privacy

At the date of this review, Moldovan law does not specifically regulate online privacy. 

There are no specific requirements on data location, except for the requirement of the prior authorization of the cross-border transfer of data.

Last modified 14 Jan 2020
Contacts
Sergiu Chirica
Sergiu Chirica
Senior Associate
ACI Partners
T +373 22 279 323
Marina Zanoga
Marina Zanoga
Senior Associate
ACI Partners
T +373 22 279 323
Last modified 14 Jan 2020