In an era where technological advancement poses a threat to data privacy, Moldova has taken a significant step forward with the enactment of the LPDP. This new law, which aligns with the EU's General Data Protection Regulation (GDPR), introduces a robust framework designed to enhance the protection of personal data. Replacing the older Law No. 133, the LPDP, entering into force in 2026, brings new provisions and stricter regulations aimed at safeguarding individuals' privacy rights in the digital age.

One of the key changes in the new LPDP is its full alignment with the GDPR. The harmonization of the Moldovan law ensures that the data protection standards are in line with those of the EU, providing a comprehensive and detailed framework for the protection of personal data. The previous Law was based on the now-abrogated Directive 95/46/EC, making this update essential for modern data protection needs.

The new LPDP introduces several new rights for data subjects, thereby significantly expanding their control over personal data. These rights include:

• Right to restrict processing - individuals have the right to request the restriction of data processing by the controller in specific situations. These include cases where the accuracy of the personal data is contested, the processing is unlawful, but the data subject opposes erasure and instead requests restriction, or where the controller no longer needs the data but the data subject requires it for legal claims. Additionally, the right applies if the data subject objects to the processing, pending verification of whether the controller's legitimate interests override those of the data subject.

• Right to be forgotten - data subjects have the right to request the erasure of their personal data from the controller without undue delay. The controller is obliged to erase the personal data promptly if the data are no longer needed for the original purpose of collection, the subject withdraws their consent or objects to the processing (unless there are legitimate grounds for continued processing), the data have been unlawfully processed, the data must be deleted to comply with a legal obligation, or the data were collected in connection with the provision of information society services.

• Right to data portability - data subjects have the right to receive their personal data, which they have provided to the controller, in a structured, commonly used, and machine-readable format. They also have the right to transfer this data to another controller without interference from the original controller. This right is applicable when the data is processed based on the subject's consent and the processing is carried out by automated means.

A new opportunity under the LPDP is that data controllers can now collaborate through association, allowing two or more controllers to jointly determine the purposes and means of processing. They are required to transparently outline each controller's responsibilities, particularly regarding data subjects' rights to request information. This arrangement is formalized through an agreement unless otherwise specified by regulatory acts. The agreement may also designate a specific contact point for data subjects.

Furthermore, the new LPDP provides detailed regulations concerning the record of processing activities. According to Article 30, each controller and their representative, if applicable, must maintain a record of their processing activities. This record should include the names and contact details of the controller, any associated controllers, their representative, and the data protection officer (DPO). It must also specify the purposes of processing, describe the categories of data subjects and personal data, and list the categories of recipients of personal data, including those in other countries or international organizations.

Additionally, the record should detail any personal data transfers to other countries or international organizations, along with documentation of adequate safeguards. Where possible, the record should also include expected deadlines for data deletion and a general description of technical and organizational security measures.

In the event of a personal data security breach, the controller is required to notify the National Centre for Data Protection (NCDP) without undue delay and, if possible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to pose a risk to the rights and freedoms of individuals. If notification is not made within the 72-hour period, a reasoned explanation for the delay must be provided.

The notice must include the following details:

• description of the nature of the breach, including, where possible, the categories and approximate number of affected individuals and records;
• the name and contact details of the DPO or another designated contact point from whom further information can be obtained;
• the likely consequences of the breach; and
• the measures taken or proposed by the controller to address the breach, including, where appropriate, steps to mitigate any negative effects.

The new LPDP outlines the factors that the NCDP must consider when assessing the adequacy of another state's data protection standards for cross-border data transfers:

• The rule of law, respect for fundamental rights and freedoms, and relevant legislation (both general and sector-specific), including those related to public security, defense, national security, and criminal law. Additionally, the LPDP considers public authorities' access to personal data and the implementation of data protection legislation, along with professional standards and security measures. This also includes rules governing the onward transfer of personal data to another state or international organization, relevant case law, and the existence of enforceable rights and remedies for data subjects whose personal data is transferred.
• The existence and effective functioning of one or more independent supervisory authorities in a foreign state or under the jurisdiction of an international organization. These authorities must be responsible for ensuring compliance with personal data protection rules, possess adequate enforcement mechanisms, provide assistance and advice to data subjects on exercising their rights, and cooperate with the NCDP.
• International commitments adhered to by the foreign state or international organization or other obligations arising from international treaties. The state's or organization's participation in multilateral or regional platforms, particularly in the area of personal data protection, is also considered.
• Decisions of the European Commission regarding the adequacy of the level of protection offered by the state or international organization in question.

At the same time, the NCDP approves mandatory corporate rules that include the following:

• the structure and contact information accessible to data subjects;
• details about the data being processed, including the categories of personal data, the purpose of processing, the individuals affected, and the countries involved;
• compliance with legal provisions and adherence to data protection principles, such as limiting the purpose of data use, minimizing data collection, setting appropriate storage periods, maintaining data quality, implementing security measures, and establishing a legal basis for processing;
• an assessment of the risks to data subjects; and
• the liability of the controller.

In the absence of an adequacy decision or appropriate safeguards, including binding corporate rules (BCRs), personal data transfers to another country or international organization may only occur under specific conditions:

• the data subject has given explicit consent after being informed of the potential risks due to the lack of adequate protection and safeguards;
• the transfers are necessary for executing a contract with the data subject or for taking pre-contractual measures at their request;
• the transfers are required for concluding or executing a contract in the data subject's interest between the controller and another party;
• the transfers are necessary for reasons of important public interest;
• the transfers are required for establishing, exercising, or defending legal claims in administrative, judicial, or extrajudicial proceedings;
• the transfers are essential for protecting the vital interests of the data subject or others when the data subject is unable to give consent; or
• the transfers are made from a public register that is intended to provide information to the public and is accessible under specific conditions.

Additionally, a new limitation period has been introduced for submitting a complaint to the NCPDP. Complaints must now be filed within one year from the date on which the individual became or could have become aware of the alleged infringement, but no later than three years from the date the infringement occurred.

New provisions on the sanctions applied for the data protection legislation have been added. Pursuant to Article 87, fines of up to MDL 1 million (approx. $56,600) or, in the case of an enterprise, up to 1% of the total turnover realized in the year preceding the sanction (whichever is higher) shall be imposed for violations of the following provisions:

• the obligations of the controller and the processor;
• the obligations of the certification body; or
• the obligations of the monitoring body.

Furthermore, fines of up to MDL 2 million (approx. $113,300) or, in the case of a company, up to 2% of the total turnover realized in the year preceding the sanction (whichever is higher) shall be imposed for infringements of the following provisions:

• the basic principles for processing, including the conditions for consent;
• the rights of data subjects;
• transfers of personal data to a recipient in another state or to an international organization;
• the obligations of the controller and DPO; or
• failure to comply with a corrective measure, a temporary or definitive restriction on processing, or a suspension of data flows issued by the NCDP within the limits provided by law.

In this regard, as per Article 60, paragraph 2, the NCDP may apply the following corrective measures:

• issue warnings to controllers or processors about potential violations of the law;
• issue warnings if processing operations have violated the law;
• instruct controllers or processors to comply with data subject requests under the law;
• instruct controllers or processors to ensure processing operations comply with the law, specifying the method and deadline if necessary;
• require controllers to inform data subjects about personal data breaches as prescribed by law;
• impose temporary or permanent processing restrictions, including bans, as prescribed by law;
• order the rectification or deletion of personal data or restriction of processing;
• withdraw or require certification bodies to withdraw certifications;
• impose fines, in addition to or instead of the measures mentioned, depending on the case; and
• suspend data flows to recipients in another state or international organization.

In addition, for violations of a corrective measure issued by the NCDP, fines of up to MDL 2 million (approx. $113,300) or, in the case of an undertaking, up to 2% of the total turnover realized in the year preceding the sanction (whichever is higher) shall be imposed in accordance with the criteria established by the law. It is important to note that, without prejudice to the corrective measures of the NCDP, the sanctions provided shall also be applied to public authorities and institutions. At the same time, if the total turnover realized in the year preceding the sanction is not recorded, the last year preceding shall be considered. The new LPDP also provides broader regulations regarding the implementation of codes designed to ensure the proper application of the law. Additionally, it establishes competent bodies responsible for monitoring the proper application of the law by controllers accredited by the NCDP.

The alignment of Moldova's LPDP with the EU GDPR marks a crucial step for the country, as it brings its data protection standards in line with those of the EU. This harmonization not only strengthens the legal framework for protecting personal data but also enhances trust between Moldovan businesses and their EU counterparts. For businesses in Moldova, compliance with these stricter regulations will be critical in maintaining access to the European market, as non-compliance could result in severe penalties and barriers to data transfers. Moreover, the new LPDP's introduction of enhanced data subject rights and detailed obligations for data controllers and processors positions Moldova as a country committed to upholding privacy and security in the digital age. The impact of this law is expected to be profound on Moldova's business environment, encouraging transparency, accountability, and improved data management practices, which are essential for economic growth in a data-driven global market.

Iulian Pașatii Partner
[email protected]
Liviana Frunză Junior Associate
[email protected]
Gladei & Partners, Moldova