New definitions

The Amendment Law modifies the definition of consent and introduces the term 'profiling' in Article 3 of the amended Law on Personal Data Protection. The definition of consent of the personal data subject is expanded to refer to the free, specific, informed, and unambiguous expression of the will of the data subject by which they accept, through a statement or an unequivocal action, the processing of their personal data.

Profiling on the other hand is defined as a form of automatic processing of personal data, which consists of using personal data to assess certain aspects of an individual, in particular to analyse or establish aspects of performance at work, economic situation, health, preferences, interests, reliability, behaviour, location, and movement of the person.

Data protection obligations

DPIAs

The Amendment Law removed the requirement to notify the National Centre for Personal Data Protection ('NCPDP') of data processing activities. Previously, controllers were required to notify the NCPDP personally, or through the representatives authorised by the same, before carrying out the processing of personal data, pursuant to Article 23(1) of the Law on Personal Data Protection.

Data controllers are now instead required to conduct DPIAs in certain circumstances, pursuant to Article 23(1) of the amended Law on Personal Data Protection. The requirement to conduct a DPIA is dependent on the nature, scope, context, and purposes of the data processing. Where the type of processing is likely to pose an increased risk to the rights and freedoms of persons, a DPIA will be required according to Article 23(1) of the amended Law on Personal Data Protection. However, a single assessment may address a set of similar processing operations that present similar increased risks.

Similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), DPIAs must be carried out where one of the following situations arise, pursuant to Article 23(3) of the amended Law on Personal Data Protection:

• systematic and comprehensive assessment of personal matters relating to natural persons, which are based on automatic processing, including profiling, and which are based on automated decisions which produce legal effects on the natural person, or which affect them in a similar way, to a significant extent;
• the processing, on a large scale, of certain categories of data relating to the disclosure of racial or ethnic origin, political opinions, religious denominations, philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for unique identification of a natural person, data on health, data on sexual life or sexual orientation, or on criminal convictions and offences of a natural person; and
• the systematic monitoring, on a large scale, of an area accessible to the public.

In relation to the actual assessment, the amended Law on Personal Data Protection states that the assessment must include, pursuant to Article 23(4), at least:

• a systematic description of the intended processing operations and the purposes of the data processing, including, where appropriate, the legitimate interest pursued by the controller;
• the assessment of the necessity and proportionality of the processing operations in relation to the respective purposes;
• a risk assessment for the rights and freedoms of the data subjects, including the origin, nature, specific degree of likelihood of occurrence of the increased risk, and severity of that risk, with the result of the assessment taken into account in order to determine the appropriate measures to be taken to demonstrate that the processing of personal data complies with the Amended Law; and
• risk prevention measures, including safeguards, security measures, and mechanisms designed to ensure the protection of personal data and to demonstrate compliance with the provisions of the Law on Personal Data Protection, taking into account the rights and legitimate interests of data subjects and other interested parties.

Importantly, where the processing has a legal basis provided by the normative acts in force, the respective right regulates the specific processing operation or the set of specific operations concerned, and a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, the above will not apply unless the regulations provide otherwise according to Article 23(6) of the amended Law on Personal Data Protection.

The NCPDP released, on 28 January 2022, a draft decision on the types of personal data processing operations that are subject to a DPIA. The draft decision sets out the criteria for assessing whether a DPIA will be required, including specific data processing operations that will require a DPIA including examples.

Prior consultation

Similar to prior consultation requirements under the GDPR, Article 24(1) of the amended Law on Personal Data Protection sets out that operators must consult the NCPDP before processing the data if the DPIA indicates that the processing would generate an increased risk and the operator considers that the risk cannot be mitigated by reasonable means in terms of available technologies and implementation costs. Article 24(2) of the amended Law on Personal Data Protection further sets out that where the NCPDP considers that the processing would violate the amended Law on Personal Data Protection, especially when the risk has not been sufficiently identified or mitigated by the operator, it will provide written advice to the operator, or the person authorised by the operator (if applicable).

Under Article 24(2) of the amended Law on Personal Data Protection, the prior consultation period can be extended by six weeks where there is complexity surrounding the intended processing. Importantly, the NCPDP will inform the operator, or the person empowered by the operator (if applicable), within one month of receipt of the request, of such extension, including detailed and specific reasons for the delay. These periods may be suspended until the NCPDP has obtained the information it has requested for consultation. Please note that the NCPDP may also establish and make available to the public a list of the types of processing operations for which a DPIA is not required.

In relation to the information that must be provided, the Amendment Law provides the following:

• where applicable, the controllers and the appropriate responsibilities of the controllers involved in the data processing activities, including processing within a group of undertakings;
• the intended purposes and means of processing;
• the measures and guarantees provided for the protection of the rights and freedoms of data subjects, in accordance with this law;
• as the case may be, the contact details of the person responsible for data protection; and
• other relevant and necessary information additionally requested by the NCPDP.

DPOs

Article 25(1) of the amended Law on Personal Data Protection sets out that operators and the person empowered by the operator must appoint a DPO whenever:

• the processing is carried out by a public authority or institution, except courts acting in the exercise of their judicial function;
• the main activities of the controller or the person authorised by the controller consist of processing operations which, by their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale; and
• the main activities of the operator or of the person empowered by operators consist of large-scale processing of special categories of data.

Notably, Article 25(2) of the amended Law on Personal Data Protection makes clear that a group of undertakings may appoint a single DPO responsible for data protection, provided that such person is easily accessible from every enterprise. In the cases where the controller or the person authorised by the controller is a public authority or public institution, a single DPO may be designated for several of those authorities or institutions, taking into account their organisational structure and size, pursuant to Article 25(3) of the amended Law on Personal Data Protection.

In relation to their employment, the DPO may work for the controller, or the person authorised by the controller, or may perform their duties under a service contract according to Article 25(5) of the amended Law on Personal Data Protection. Importantly, the operator or the person authorised by the operator is responsible for publishing the contact information of the DPO and communicating the same to the NCPDP under Article 25(6) of the amended Law on Personal Data Protection.

Role of a DPO

The DPO is designated on the basis of professional qualities, such as specialised knowledge regarding the regulations and practices in the field of data protection, as well as on the ability to fulfil the tasks provided in Article 252 of the Amendment Law and Article 25(4) of the amended Law on Personal Data Protection.

The Law on Personal Data Protection is supplemented by Articles 251 and 252 of the Amendment Law, which outlines the role and tasks of the DPO. The role of the DPO requires that:

• the DPO is involved, properly and in a timely manner, in all matters relating to the protection of personal data;
• the DPO has the necessary resources to carry out their tasks, maintain their specialist knowledge, as well as access personal data and processing operations;
• the DPO not be dismissed or sanctioned for performing their duties;
• the DPO be directly responsible to the highest level of management;
• the DPO respect the secrecy or confidentiality of the performance of the role, in accordance with normative acts;
• where the DPO is permitted to perform other tasks and duties, the operator or the person authorised by the operator will ensure that none of these tasks and responsibilities give rise to a conflict of interest; and
• the DPO to address queries from data subjects on matters relating to the processing of their data and the exercise of their rights under the amended Law on Personal Data Protection.

Responsibilities and duties of a DPO

The Amendment Law outlines a number of responsibilities and duties for DPOs. These responsibilities must include, at the minimum:

• informing and advising on the data protection obligations provided under law;
• monitoring compliance with the amended Law on Personal Data Protection and other normative acts regarding data protection, as well as the policies of the controller and authorised persons regarding the protection of personal data;
• assigning responsibilities, including on awareness-raising and training of personnel involved in processing operations and related audits;
• providing on-demand advice on DPIAs and monitoring of their operation;
• cooperation with the NCPDP; and
• being the point of contact for the NCPDP on data processing issues, including prior consultation and, where appropriate, consultation on other matters.

More generally, the DPO is required to take account of the risk associated with the processing operations, taking into account the nature, scope, context, and purposes of the processing.

Cross-border transfers

The NCPDP will approve, by decision, a list of states that ensure an adequate level of data protection. They will take into account a number of factors including membership in international treaties on data protection, the existence and compatibility of data protection legislation, competences, and cooperation with the data protection supervisor, as well as other important aspects regarding the legal regime of personal data protection.

Importantly, the NCPDP will also take into consideration decisions taken by the European Commission regarding the states that ensure an adequate level of protection of personal data, pursuant to Article 32(3) of the amended Law on Personal Data Protection. The NCPDP released a draft decision on the approved list of states that ensure an adequate level of personal data protection. The draft decision details the countries that will be regarded as ensuring an adequate level of data protection, namely:

• Andorra;
• Argentina;
• Canada;
• the Faroe Islands;
• Guernsey;
• the State of Israel;
• the Isle of Man;
• Japan;
• Jersey;
• New Zealand;
• the Republic of Korea;
• Switzerland;
• Uruguay; and
• the United Kingdom

In respect to the above, Article 32(4) of the amended Law on Personal Data Protection sets out that transfers of personal data are permissible to jurisdictions that do not provide an adequate level of protection in a number of circumstances including:

• if the processing takes place on the basis of an agreement or treaty signed between the Republic of Moldova and the destination country;
• with the consent of the data subject, although information on the possible risks that such transfers may have for the data subject due to the lack of a decision on the adequacy of the level of protection and adequate safeguards must be provided; and
• if the processing takes place under the standard contract for the cross-border transmission of personal data, developed and approved by the NCPDP.

Penalties

Article XVI of the Contravention Code of the Republic of Moldova No. 218/2008 ('the Contravention Code') introduces violations attributable to the processing of personal data in violation of the Law on Personal Data Protection. Specifically, failure to comply with the basic conditions for processing, storage, and the use of personal data, as well as failure to use automated information systems or dedicated electronic means of communication, now attracts penalties under the Contravention Code.

Keshawna Campbell Lead Privacy Analyst
[email protected]