In May, a new data protection law was passed in the first reading in the Parliament. The law has been officially adopted in the second reading on 25 July 2024. It was developed in the context of Association Agreement with the European Union (art. 13 para. (1) ), according to which the Republic of Moldova should ensure a high level of personal data protection, in accordance with the international instruments of the European Union and the Council of Europe. The new law transposes the EU General Data Protection Regulation (GDPR) into the national regulatory framework, includes provisions regarding the activity of the National Center for the Protection of Personal Data and covers the liability for non-compliance with the legal framework. The Law will enter into force after 24 months from the date of publication in the Official Gazette, thus allowing for a period of preparation for implementation.
New legal provisions for personal data protection in line with EU GDPR
The law contains provisions that refer to the rights of the data subject, the controllers and processors, transfers of personal data to other states or to international organisations and specific cases of personal data processing partially described in a previous update.
Additional provisions include a chapter dedicated to the regulation of the National Center for the Protection of Personal Data (Center) and a to legal remedies, liability and sanctions for non-compliance with the legal framework.
The Center is a public authority that operates independently from other public authorities. Its mission is to supervise and monitor the application of the new Law and other normative acts on the processing of personal data, in order to protect the fundamental rights and freedoms of natural persons.
The Law also outlines:
- the examination and investigation procedures carried out by the Center in case of alleged violations of the legal regime personal data protection;
- the right of the Center to carry out "searches" of the premises, the concerned institutions, or the means of transport of natural persons;
- pecuniary sanctions and the procedure for applying fines in case of violations in the processing of personal data.
A separate chapter includes special legal norms regarding situations of personal data processing that occur in connection with the following cases:
- Freedom of expression. The law does not apply if cumulatively (a) the personal data processing is carried out for journalistic purposes or for the purpose of academic, artistic or literary expression, (b) publication of the material would be of public interest, (c) the application of the law is incompatible with the achievement of journalistic purposes or the purpose of academic, artistic or literary expression.
- Access to information of public interest. Personal data held by the information providers can be disclosed under the conditions of Law on access to information of public interest no. 148/2023, with the exception of racial or ethnic origin, political opinions, religious confession or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of a natural person, health data or data regarding a natural person's sexual life or sexual orientation).
- Processing a national identification number.
- Processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.
The law will enter into force 24 months after publication
The national actors will be given a preparation period before the new legal provisions take effect. The Law will enter into force 24 months after the publication in the Official Gazette. Upon entry into force, the Law will replace the current Law on protection of personal data 133/2011, that regulates the processing, storing and use of personal data, the Law no. 182/2008 regarding the approval of the Regulation of the National Center for the Protection of Personal Data and articles 741-743 and art. 4234 of the Contraventions Code 218/2008.
The draft law went through a compliant process of consultation with civil society. At some point the draft law received criticism due to its unclear wording, which could lead to misinterpretation.
The new Law will improve the protection of personal data, in line with the EU GDPR. It is important step forward for the civil society environment of the Republic of Moldova, both because it regulates the way in which the personal data of individuals is protected, but also because the provisions apply directly to CSOs that act as controllers of personal data.