The Law on Personal Data Protection, Moldovan Privacy

Moldova’s Law No. 133 of 8 July 2011 on Personal Data Protection, also known as the Law on Personal Data Protection, is a data protection law that was passed in 2011. As Moldova is not a part of the European Union, the country does not fall under the jurisdiction of the General Data Protection Regulation. Despite this fact, the Law on Personal Data Protection Law transferred the EU’s Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, also known as the Data Protection Directive, into a Moldovan law. As such, the Law on Personal Data Protection regulates all data processing activities within Moldova.

How are data controllers and processors defined under the law?

Under the Law on Personal Data Protection, the term data controller is defined as “a natural or legal person governed by public or private law, including a public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”. Conversely, a data processor is defined as “a natural or legal person governed by public or private law, including a public authority and its territorial subdivisions, which processes personal data on behalf and upon the instruction of the controller”. Moreover, the personal scope of the law ensures the fundamental right to data protection and privacy for all Moldovan citizens.

Furthermore, the territorial scope of the law is applicable under the following circumstances:

• A data controller or processor is physically established within the Republic of Moldova.
• In instances where the “processing of personal data that is carried out within the diplomatic missions and consular offices of the Republic of Moldova, or where the controller is not established on national territory, such processing is situated in a place where national law applies by virtue of public international law”.
• A data controller or processor is not physically present with the Republic of Moldova, but nevertheless uses equipment within the country for the purposes of processing personal data, unless said processing is strictly for the purposes of transit through national territory.

What are the obligations of data controllers and processors under the Law On Personal Data Protection?

Under the Law on Personal Data Protection, data controllers and processors operating within Moldova are responsible for adhering to the following data protection and privacy principles at all times:

• Personal data must be processed in a manner consistent with fairness and lawfulness.
• Personal data may only be collected and processed for purposes that are specific, legitimate, and explicit, and any collection or processing of personal data done outside of these parameters is prohibited.
• All personal data that is collected or processed must be relevant, adequate, and non-excessive. As such, the further processing of personal data that does not align with these principles is prohibited.
• All personal data that is collected or processed must be accurate and kept up to date where necessary.
• All personal data must be kept in a form that allows for the identification of applicable data subjects, and said data must not be kept for any period of time longer than is needed to fulfill the purpose of collection or processing.

What are the rights of data subjects under the Law on Personal Data Protection?

The Law on Personal Data Protection provides Moldovan citizens with the following rights as it pertains to their privacy and data protection:

• The right to be informed– Prior to collecting personal data from data subjects, data controllers are required to provide said data subjects with information related to the processing of their personal data, such as the identity of the data controller and processor, as well as the purposes for collection or processing, among other details.
• The right to access– Under the law, data subjects have the right to request access to personal data they have submitted to a data controller or processor, without delay and free of charge.
• The right to rectification– Data subjects have the right to request that a data controller or processor rectify personal data relating to them, if said personal data is found to be incorrect or incomplete, without delay and free of charge.
• The right to erasure– Data subjects have the right to request that a data controller or processor erase personal data relating to them, if said personal data is found to be incorrect or incomplete, without delay and free of charge.
• The right to object or opt-out– The Law on Personal Data Protection states that “data subjects have the right to object, at any time and free of charge, on compelling legitimate grounds relating to his/her particular situation to the processing of personal data relating to him/her, save where otherwise provided by law”.
• The right not to be subject to automated decision making– Data subjects have the right not to be subject to data processing decisions made solely on the basis of automated processing methods or means.

As it relates to non-compliance with the law, the Law on Personal Data Protection is not enforced by a single governing authority or legal body, in contrast to many other data privacy laws. Instead, the law is enforced through the regulations and provisions set forth by the Criminal Code of the Republic of Moldova (No. 985-XV of 18 April 2002), also known as the Criminal Code for short. To this end, individuals and organizations who fail to comply with the Law on Personal Data Protection are subject to a monetary penalty of up to €7,500 ($8,661), “the deprivation to carry out certain activities for a period of one year”, and civil liabilities.

As Moldova is not a part of the EU and does not fall under the jurisdiction of the General Data Protection Regulation, the country needed a data privacy law that was on par with other European nations. While the provisions of the Law on Personal Data Protection are somewhat dated when compared to more modern privacy policies, the law nevertheless provides protection to Moldovan citizens as it relates to their personal data and in turn, their privacy. Moving forward, Moldova may look to pass additional legislation to bring its data protection and privacy infrastructures up to date with the EU’s GDPR Law.