Law: Law No. 195/2024 on the Protection of Personal Data (only available in Romanian here) (Law No. 195/2024)

Regulator: National Centre for Personal Data Protection (NCPDP)

Summary: Moldova has an Association Agreement with the EU through which it has committed to ensuring adequate safeguards for the protection of personal data. The EU does not recognize Moldova as providing adequate protection.

On August 23, 2024, Law No. 195/2024 on the Protection of Personal Data (Law No. 195/2024) fully transposes the GDPR into Moldovan law and provides general personal data protection provisions including data subject rights, duties of data operators, requirements for Data Protection Impact Assessments (DPIAs), and data transfer requirements. Law No. 195/2024 will come into effect two years after publication.

In the meantime, Law of 8 July 2011 No. 133 on Personal Data Protection remains in force. The Law provides general personal data protection provisions, establishes data subject rights such as the rights to access, rectification, or erasure, and includes requirements to appoint a data protection officer and provide data processing notifications. Data transfers from Moldova to the EEA are allowed under the Law and in April 2022, the NCPDP approved a list of states that ensure an adequate level of protection of personal data, such as Canada and the UK. In addition, the Governmental Decision of December 14, 2010 No. 1123 on the Security of Personal Data within Automatic Databases (only available in Romanian here) established data breach notification requirements, as well as sanctions for failure to notify the NCPDP.

Moldova is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention 108) and the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention 108+).