Background

Following a substantial legal amendment adopted in November 2021 and effective since January 2022, the Law of 8 July 2011 No. 133 on Personal Data Protection ('the Law'), with slight differences, has come closer than ever to the EU standards relating to personal data protection. Among the many changes the national legislative framework has undergone, the amendment affected the provisions relating to the cross-border transfer of personal data, allowing a free movement of data between Moldova and Member States of the EEA. Additionally, a barrier-free data transmission regime has been implemented for transfers of personal data to states that ensure an adequate level of personal data protection, which are comprised in a list adopted and published by the NCPDP.

In cases where the state to which personal data is transmitted does not meet the aforementioned adequacy criteria, data controllers must have a legal basis for such a transfer. Among the legal bases provided under Article 32 of the Law, it is stipulated that the cross-border transfer may be carried out on the basis of a standard contract for the cross-border transmission of personal data, developed and approved by the NCPDP, concluded by the data controller or data processor in any of the three scenarios described below.

On 22 April 2022, the NCPDP approved SCCs for the cross-border transmission of personal data to states that do not ensure an adequate level of personal data protection. A contract of this kind is a novelty for the Moldovan data protection legal framework and is mainly based on the updated SCCs adopted by the European Commission in 2021.

Despite the similarities between the EU and the Moldovan SCCs, the main difference between the two is that the Moldovan contract covers only three transfer scenarios, namely controller-to-controller, controller-to-processor, and processor-to-controller, excluding the processor-to-processor scenario. This is because the Moldovan law does not yet specifically regulate in detail the processor-and-processor interactions, and requires all processors handling the data controller's data to have a direct contractual relationship with the former. It is, however, noteworthy that this matter is expected to be resolved by a legislative amendment in the near future, currently circulated for public consultations as a draft legal amendment.

Contents

As previously mentioned, the SCCs are addressing three cases of cross-border data transfer, and are composed of three sections and 17 modular clauses, which provide flexibility to all parties involved in cross-border data transfers, as they can select the clauses relevant to their particular contractual circumstances.

The main clauses of the SCCs include provisions relating to:

• guarantees relating to the protection of personal data transmitted abroad;
• obligations of the data processors relating to the fulfilment of the contract, for example, allowing for an audit to be carried out by the exporter in connection to the data processing activities of the importer;
• rights of data subjects, which include the provision of information to data subjects relating to the processing of their data and the data subject's right to oppose data processing;
• liability of the parties for damage caused to the data subjects following uncompliant data processing;
• remedies available to data subjects in case of violation of data processing and storing provisions;
• obligations of the data importer in case of access of public authorities and the obligation of the data importer, i.e. to notify the exporter about any requests from the governmental authorities to disclose personal data; and
• the exclusive competence of Moldovan courts in relation to all disputes arising from the SCCs.

Additionally, the Moldovan SCCs, similarly to the European SCCs, contain a 'docking clause' which allows third parties to adhere to the contractual clauses at any point, thus becoming a party to, and bound by, the signed standard contract.

Section 4 of the SCCs provide for the termination grounds available for the data exporter in case the data importer is not compliant with the agreement. The data exporter is entitled to suspend any data transfers in case the contractual clauses have been infringed by the importer and, if such infringements have not been remedied, the agreement may be terminated by the exporter after one month following the suspension.

Aside from the 17 clauses, the SCCs are supplemented by two crucial annexes that aim to ensure transparency and accountability of the parties to the contract.

Annex 1

Annex 1, divided into Sections A and B, covers:

• the parties to the agreement, and their identification information, such as names, addresses, activities associated with the data transfer, and their role in the agreement (i.e. the data controller or data processor); and
• the description of the transfer, which will lay out the categories of the transferred data, the purpose and nature of processing, frequency of transfers, and data retention period, among others.

Annex 2

Annex 2 prescribes the technical and organisational measures designed to ensure the security of personal data, implemented by the data importer in order to guarantee an adequate level of data safety. The appendix also includes examples of possible measures which can be undertaken by the importer, such as:

• depersonalisation and encryption measures;
• measures for ensuring confidentiality, integrity, and continuous resilience of the processing systems and services;
• measures ensuring the safety of the physical premises where the data is stored; and
• limitations to the stocking period of the data.

Challenges

The SCCs implemented a new legal framework for the data transferring regime; however, certain questions remain unanswered. The most pertinent issue relates to cross-border transfers of data to the US, which are not included into the list of states that ensure an adequate level of data protection, Moldova following the European model on this subject after the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'). Consequently, the US is considered a non-adequate country in terms of data protection, and additional roadblocks are faced by the data exporters and importers from the US and Moldova. This is particularly challenging for American companies setting up subsidiaries in Moldova that are expected to transfer data across the ocean in the course of their business activities, as well as for American companies providing services in Moldova and, thus, acting either as data processors or data controllers.

Another challenge arising from the new status quo is the one referring to electronic signatures. Considering the cross-border nature of the agreement entered into by the data importer and exporter, it is likely that the parties will opt for electronic signatures for expressing their consent to the binding clauses. Currently, Moldovan law is imposing several conditions (certifications, accreditations, and recognitions in Moldova) that make the use of foreign e-signatures a nearly impossible exercise, unless the foreign e-signatures provider complies with the conditions imposed by Moldovan law, or a bilateral treaty grants recognition of its e-signatures. Although the law has undergone amendments not too long ago, allowing the use of European e-signatures, local technical implementation has not yet been achieved. Nonetheless, the legal status of e-signatures issued in countries the data importers are going to be from is still unclear.

Effects

The SCCs are a new instrument available to data controllers and data processors in Moldova, and considering its recent adoption, it is yet unknown how efficient it is going to be in the context of data protection. Nonetheless, the NCPDP has undertaken the obligation to suspend any cross-border data transfer in cases where the data importer located in non-adequate countries fails to adhere to the SCCs, or if the local government precludes the data importer to comply with the SCCs. Any further transfers can be resumed only after the importer remedies all shortcomings relating to data processing obligations under the agreement.

Roger Gladei Managing Partner
[email protected]
Iulian Pașatii Partner
[email protected]
Irina Culinschi Associate
[email protected]
Gladei & Partners, Chisinau