Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
C O N T E N T S
PREFACE ……………………………………………………………………………….......................3 - Perception of development level of data protection field in the Republic of Moldova ( H.E.
György VARGA, Former Ambassador Extraordinary and Plenipotentiary of Hungary to the Republic of Moldova)................................................................................................................3-5
- Perception of development level of data protection field in the Republic of Moldova ( Mr. Udo BURKHOLDER, Head of European Union’s Border Assistance Mission to Moldova and Ukraine..........................................................................................................................................6
- Outlined objectives or 2012..........................................................................................................7
CHAPTER I THE SUPERVISORY AND CONTROL ACTIVITY
1.1 Performing controls, analytical work, participation in courts..................................................8-20
- Perception of development level of data protection field in the Republic of Moldova (Mr. Mihai BALAN, Director of Intelligence and Security Service of the Republic of Moldova)................................................................................................................................13-14
1.2 Registration of data controllers, databasis, information and informatics systems in which personal data are stored and processed..................................................................................20-21
1.3 Examination of personal data subjects’ petitions and other appeals.....................................21-22
CHAPTER II LAWMAKING ACTIVITY, CONSULTATION AND
GIVING OPINION TO DRAFT BILLS
- Perception of development level of data protection field in the Republic of Moldova (Mr. Anatolie MUNTEANU, Parliamentary advocate, Director of the Center for Human Rights of the Republic of Moldova)......................................................................................................23-24
2.1 Harmonization of regulatory and legislative framework governing the personal data protection field........................................................................................................................................25-29 2.2 Giving oponions of normative and legislative Acts...............................................................29-34
CHAPTER III TRANSPARENCY IN DECISION MAKING PROCESS, COMUNICATION AND PUBLIC
RELATIONS, PROMOTION OF THE FIELD VIA INFORMING CITIZENS 3.1 Mediatization of the Center’s activity....................................................................................34-37
- Perception of development level of data protection field in the Republic of Moldova ( Mr.Liubomir CHIRIAC, Executive Director of Institute for Development and Social Initiatives „Viitorul”, PhD in physical and mathematical sciences.............................................................38
- Perception of development level of data protection field in the Republic of Moldova ( Mrs. Adelina LUNGU, director of Public Assiciation „Pro DATA Lex”)....................................39-40
3.2 Information activities and promoting data protection field....................................................41-43 3.3 High-level official meetings, co-operation with other national authorities...........................43-47
- Perception of development level of data protection field in the Republic of Moldova ( Mr. Dorin RECEAN, Minister of Internal Affairs of the Republic of Moldova)..............................46
3.4 Consulative Council’s activity of the Center ........................................................................47-48
2
CHAPTER IV
INTERNATIONAL CO-OPERATION
- Perception of development level of data protection field in the Republic of Moldova ( Mrs. Natalia GHERMAN, Deputy Minister of Foreign Affairs and European Integration of the Republic of Moldova...................................................................................................................49
4.1 Participation in international conferences, as well as in the international working groups activities.................................................................................................................................50-52
4.2 Assistance from which benefited the Center through the Technical Assistance and Information Exchange Instrument managed by the Directorate-General Enlargement of the European Commission (TAIEX)............................................................................................................52-53
4.3 Relations with EUROJUST...................................................................................................53-54 4.4 European assistance programmes to take over and implement the good practices
nationwide..............................................................................................................................55-60
- Perception of development level of data protection field in the Republic of Moldova (Mr. Carsten MAHNKE, Co-ordinator of MIAPAC project).............................................................55
- Perception of development level of data protection field in the Republic of Moldova ( Mr. András JÓRI, Dr., EU Expert, MIAPAC project, former Commissioner of personal data protection of Hungary.................................................................................................................56
CHAPTER V
STREHGHTENING MANAGERIAL CAPACITIES OF THE CENTER 5.1 Humanresources..........................................................................................................................61 5.2 Aspects regarding economic activity.....................................................................................61-62
CHAPTER VI PROBLEMES ENCOUNTERED IN ACTIVITY AND GOALS SET FOR 2013
6.1 Problems faced by the Center......................................................................................................63 6.2 Goals for the year 2013………………………………………………............………….....63-64
- Appendixes 1-3………………………………………………………...........…………….65-68
3
Unnoficial translation
PREFACE
Given the legal obligation, but also in order to inform society about the evolution’s field of protection
of individual on his/her personal data processing, the National Centre for Personal Data Protection of
the Republic of Moldova (hereinafter the Center), submits the Progress Report for the year 2012.
While the report reflects the synthesis of main activities performed by the National control authority of
personal data protection for 2012, comparative statistics show tangible progress achieved at a distance
of 4 years since the establishment of the entity which I represent.
This proves not only the large number of normative and legislative interventions in order to
comply with the national regulatory framework at European principles, but also concrete actions aimed
to aspects of real implementation of the legislation’s previsions.
In premiere, the report also contains the positions of different notorious personalities which
represent a form of assessment of perception, nationally and internationally, of the development level
of this sector in the Republic of Moldova.
To ensure confidentiality of personal data that have been known during the work activity of the
Center, in accordance with Article 29 of the Law on personal data protection, the examples mirrored in
report are made anonymous in order to make impossible their association with an individual identified
or identifiable.
Yours Sincerely,
Vitalie PANIŞ Director
4
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE REPUBLIC OF MOLDOVA
H.E. György VARGA Former Ambassador Extraordinary and Plenipotentiary of Hungary to the Republic of Moldova
„On the occasion of compilation of the Annual Progress Report on the activity of the National Center for Personal Data Protection of the Republic of Moldova I would like to share with you my views and experiences gathered in pursuance of my duty in Moldova from 2008 till 2012.
The right of people to protect their own personal data and the obligation of states to provide the necessary conditions for that is a highly developed area both in the European legislation and in the practice of the EU Member States. During the last couple of years the Republic of Moldova has done serious steps in order to create a comprehensive data protection system corresponding to all internal and international demands.
As ambassador of Hungary, a country having friendly relations with Moldova, and a country having recent experiences in the European integration, I have had the possibility to follow the Moldovan efforts in this field very closely. After taking up my post in Chisinau in May 2008 I realized that Moldova had a law on data protection without having institutions to implement the legislation. Having the support of the Ombudsman for data protection of Hungary and with the financial support of the Ministry of Foreign Affairs of Hungary I proposed to the Speaker of the Moldovan Parliament to appoint the director of the future institution by the parliament, and Hungary would take the responsibility to train the core of the staff, a group of Moldovan experts in data protection issues. In November 2008 the Parliament of the Republic of Moldova nominated the Director of the National Center for Personal Data Protection. In December 2008 the newly appointed Director and his staff took part in a training in Budapest, and on the 1st of January 2009 the Center began to work.
There was a lot to do. Human resources, infrastructure, inter-ministerial and international contacts were lacking. Creating the Center for Personal Data Protection from zero needed serious efforts from the small staff. However they managed to comply with the task. Since the establishment of the Personal Data Protection Center the Moldovan society is having the opportunity to be protected by a special institution authorized by the Parliament.
During my stay in Chisinau I had the possibility to visit the Center many times and to cooperate with it. I have been regular guest on the Day of Data Protection (the 19th of January) organized by the Center which was able to build up a significant international network with foreign partner institutions. After setting up the Center Hungary continued to support it through launching technical assistance projects. Due to your strong commitment to build up one of the key constitutional elements of a modern Moldovan state I consider our common work as a great success serving the interests of the Moldovan civil society.
The Annual report is about the activity of the Center in 2012. I am very glad that I had a chance to cooperate with you during this year when a new law on Data Protection was adopted. Your
5
new law incorporates the up-to-date international achievements in the field of data protection and is fully in line with the European integration process of Moldova. This year the Center became beneficiary of a technical assistance program of the European Union in the framework of which a Hungarian expert has been working there to help to adopt the European Union’s practice in data protection. In March 2012 I visited the Center together with the Representative of the Council of Europe in Moldova - our observations were absolutely positive. The Center has an integrated infrastructure, qualified human resources and experiences gained during the last four years.
I am convinced that the National Center for Personal Data Protection of the Republic of Moldova is capable to fulfill its job prescribed by the national legislation in favor of the Moldovan society and can contribute in an effective way to the country’s European integration process. Let me congratulate Mr. Vitalie Panis, Director of the Center and his colleagues for creating a very important institution and achieving significant result within a relatively short time.”
6
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE
REPUBLIC OF MOLDOVA
Udo BURKHOLDER Head of European Union Border Assistance Mission to Moldova and Ukraine
„European Union Border Assistance Mission to Moldova and Ukraine (EUBAM) highly
appreciates the National Center for Personal Data Protection of the Republic of Moldova as an autonomous public authority that performs its duties and exercises its legal responsibililities on personal data protection with integrity, and respect for human rights and dignity.
In order to carry out control in the field of personal data processing, the Centre not only undertakes measures to stop personal data processing that is performed in violation of the law and bring individual cases to the attention of judicial authorities, but also maintains a register of personal data holders, and periodically informs institutions and societyu about its activities.
It is now the occassion for the Center to make its annual public report, and it therefore gives me great pleasure to have the opportunity to make a contribution.
First of all I would like to take this opportunity to congratulate the Center on the occasion of the entering into force of the new law on data protection. Regarding its implementation, it should be mentioned that the launch of the Register of Personal Data Operators was an important milestone. With these measures was introduced the legal abligation for personal data operators to notify the national authority before commencing processing of personal data. At the same time, this action aimed to accomplish item 37 of the National Program for implementing the EU-Moldova Action Plan on visa liberalization.
Supporting the implementation of this National Program is an important objective for EUBAM, and this policy will remain unchanged.
We are happy that in the framework of the cooperation with the Mission, the Center facilitates the consultation process with the Moldavian Partners of EUBAM in order to make the Mission familiar with the sectorial implementation of the national data protection legislation.
At the same time I can give assurance that EUBAM will make its contribution to the development of the National Strategy for Personal Data Protection of the Republic of Moldova with provision of a special report on the Application of data protection rules and regulations by the border management agencies of the Republic of Moldova.
As far as our further cooperation is concerned, EUBAM looks forward to supporting the Centre in the organisation of the international data protection conference on 28 January 2013 on the occassion of the International Data Protection Day. Through this event and our future cooperation it is anticipated that we shall more clearly identify the further needs of EUBAM Partner Services in compying with the data protection legislation.
”
7
Outlined objectives for 2012
For the year 2012, the Center has established several goals that must be achieved to ensure the
dynamic and evolving character of personal data protection field in the Republic of Moldova. These
include:
- promoting the idea of nationwide implementation of the principles set out in
Recommendation no. R (87) 15 of the Committee of Ministers to Member States regulating the use of
personal data in the police sector, adopted by the Committee of Ministers on 17 September 1987, and
the Framework Decision 2008/977/JHA of 27 of November 2008 on the protection of personal data
processed in the framework of police and judicial cooperation in criminal matters;
- development of media campaigns on “Requirements for the assurance of personal data
security at their processing within the information systems of personal data”, approved on 14
December 2010 by the Government Decision no 1123, for the purposes of implementing the
provisions of this normative Act by the personal data holders (controllers);
- implementation of the integrated Automated Information System “State Register of personal
data controllers” and conducting the registration proceedings of personal data controllers and of the
filling systems in which personal data are processed;
- sectoral analysis of the legal framework with reference to the personal data protection field
and developing the guidelines to bring the personal data processing operations in accordance with the
principles of law on personal data protection, including systematic organization of conferences, round
tables and training courses, advertising activities to promote data protection field;
- developing of the project of the national Strategy of personal data protection;
- participation in international conferences in the field, which will help to promote the image of
both the Centre and the country as a whole, as well as to the assimilation of international experience to
improve national practice in personal data protection sector;
- strengthening collaboration with civil society and attracting them in the promotion and media
coverage of personal data protection field as well as the accession of the new programs (TWINNING,
TAIEX, EU Funds) in this regard.
To achieve these goals, which were reached at 100%, the Centre's activities during the year
2012 were held under the aegis of the idea of the promotion of the personal data protection field and
providing necessary instructions for the entities involved in the personal data processing operations to
comply with the law provisions.
8
CHAPTER I THE SUPERVISORY AND CONTROL ACTIVITY
1.1 Performing controls, analytical work, participation in courts
Compared to previous periods, there is a steady increased number of personal data subjects’ complaints which have claimed that their right to privacy has been infringed. In 82 of cases, the recorded appeals served as grounds for the Center to launch controls in order to ckech the legality of personal data processing operations in accordance with the provisions of Art. 27 para. (2) and (4) of the Law on personal data protection.
The situation at this chapter, in comparison with previous periods, is given in table no 1 as follows:
Tabel no 1. Specific cases of breaching personal data protection legislation
period to compare
performed controlls
including from the office/upon notification of personal data subjects
Reactions acts issued as a result of controls
performance
decision to suspend
personal data processing operations
decision on cessation of
personal data processing operations
decisions on deleting data processed in breach of the
law
contraventional minutes
drawn up
year 2009 8 4/4 3 4 2 -
year 2010 20 12/8 7 - 2 -
year 2011 46 17/29 3 - 7 -
year 2012 82 6/76 6 1 - 4
The plaintiffs usualy alleged the excessive and unfounded character of consultation and
personal data extraction operations, stored in various state information Resources, as well as the illegal
collection of their personal data without ensuring the right to information and of access. The Center
also found that within complaints it began to be required the control perfomance to check the legacy of
establishment of automated filling systems by private and public entities in which are processed
personal data; to chek the legalicy of installing the video surveillance devices in certain areas, as well
as the control of reasons of non-registration of filling systems and databases in the filling Register of
personal data controllers.
9
Example no 1:
creating information systems and databases breaching the legislation on personal data protection
Upon the petition of certain Members of the Parliament of the Republic of Moldova, which
have cited alleged breaches of the principles of personal data protection by the method of publication
on the official website of the Prosecutor General of interpellations made by MPA, the Center initiated
a control.
It was determined that since the 5th of November 2012, the Prosecutor General has created a
section on its official website, entitled „Interpellations and questions of deputies”
(http://www.procuratura.md/md/ID/), through which everyone can access and watch the rhytm and
content of inquiries and complaints that come from the MPA, the section being updated daily. In fact,
automatically processing personal data regarding subjects indicated in the interpellations of the MPA
structured as centralized series, distributed by functional criteria and accessible according to specific
criteria on the official site, the Prosecutor General is established as the controller of such personal data,
having the legal obligation to notify the Centre and record evidence systems designed in accordance
with the provisions of the Law on personal data protection and the Regulation of the Register of the
personal data controller, before the commencement of processing operations. Given the findings, the
Center interposed with an instruction, recommending the Prosecutor General to initiate immediately
depersonalization procedures of the documents referred by excluding specific identifiers regarding the
subjects of personal data, indicated in the interpellations of MPA, as well as in other inquiries made
public by prosecutors. On the basis that the Prosecutor General has not complied with the instructions
and has not depersonalized the mentioned documents, the decision was issued ordering the suspension
of such procedures of personal data processing.
As a result, the Prosecutor General has made some technical actions intended to prevent
indexing by search engines of personalized content of interpellations disclosed, while initiating the
appeal procedure in administrative court of the decision issued by the Centre.
The national supervisory authority for personal data protection considered the actions that
prevent search engines from indexing the personalized content of disclosed interpellations as
insufficient to protect individuals against automatic processing of personal data affecting them.
Regrettably, but after 7 months after the entry into force of Law no. 133 of 08 July 2011 on personal
data protection, the Prosecutor General - important authority called to represent the general interests of
society, to defend the rule of law, as well as the rights and freedomsof citizens, not only did not take
any action to comply with the provisions of article 34 para (4) of this Law and notification of record
10
systems held, but what is even worse - creating new filling systems of personal data breaching the
principle of protection of individuals against automated processing of personal data affecting them.
In such circumstances, when time limits to appeal the decision, in case of non-compliance, the
Center will consider starting proceedings against decision-taking factors of contravention procedure
under art.743 of the Contravention Code.
Example no. 2:
unlawful processing of personal data concerning employees
While examining the circumstances indicated by an employee of a medical institution from
Ciocana district, Chişinău municipality, which requested the legality of processing procedures through
video surveillance system, of personal data that concerns staff / patients / visitors of the respective
institution, the Center conducted an unannounced control. During the review, it was found the
existence of means of video surveillance in the building of the medical institution that provided
personal data processing regarding staff / patients / visitors, without notifying the national supervisory
authority of personal data protection and without placing appropriate information (icons) that would
inform data subjects about the processing of personal data. Given the circumstances found, the Center
issued a decision that forced the personal data controller to suspend personal data processing
operations by way of video surveillance, until the development and approval of institutional security
policy, in accordance with art. 30 of the Law on personal data protection and requirements to ensure
the security of personal data at their processing within the personal data information systems,
including up to notification of the Center for the registration of the information system accordingly.
Example no. 3:
personal data processing which concerns minors placed in medical institutions
During the reporting period, the Center conducted several analyzes of the situation regarding
privacy and personal data protection principles concerning minors. As well as in 2011, the basis for
these activities served frequent disclosures of personal information about children, being found that the
media continue to freely enter medical institutions (ex. Ignatenco hospital from Chişinău), filming and
photographing without restrictions the patients - children, having personalized interviews on certain
sensitive subjects, etc.
The Center was in a position to state that the situation has not changed, therefore reminded the
Ministry of Health - the central body of public administration in health domain, that the health data
privacy regime requires denial of access for unauthorized persons. Information on the health situation
of children, photos and video of these minors patients and personalized interviews conducted in
11
medical institutions involving medical staff, without written consent of their representatives,
constitutes a serious breach of privacy and personal data protection principles. These moments are as
well reflected in the Style guide with ethical norms for journalists approved by the members of the
Independent Press Association on 13 March 2009, which states that journalists are not allowed to take
pictures or film minors without the permission of a parent, tutor or other legal representative, except
situations when the child is being bullied, is involved in an accident or is infringing. Nevertheless, in
order to post pictures / images the consent of parents, tutor or other legal representative is necessary.
It was mentioned the importance of guaranteeing the right to inviolability of intimity, private
and family life (art. 28, Constitution of the Republic of Moldova) and to confidentiality and security of
personal data processing (Articles 29 and 30 of the Law on personal data protection) while performing
medical investigations, treatment that is canceled only if such data are depersonalized. The use of
photo, video, audio or other means for registering on and within the territory of health facilities may be
allowed only upon special permission of the management of personal data controller, which must
assume responsibility for any moral and material prejudice to the subjects of personal data in general,
and in the case of minors, in particular, only with the consent of their legal representatives.
Consequently, on 17th of December 2012, the Ministry of Health sent a circular letter addressed
to medical institutions (Annex no. 3 to the Progress Report), which pointed to the need to respect the
principles of personal data protection.
Example no. 4:
Respecting privacy of minors in educational institutions
The same situation maintained in the education sector, being noted cases of information disclosure
targeting students by media representatives, who were permitted to entry the school, filming and
photographing children, conducting interviews with them, collecting personal data from teachers and
medical staff with respect to certain sensitive topics etc.. Despite the instructions given earlier in this
respect, sectoral regulations appeared only on 19 October 2012, when the Ministry of Education sent
to the educational institutions a circular letter on the need to respect the principles of personal data
protection and the existence of written consent of the legal representative for reports made by the
media in the area of educational institutions. The Center appreciated this situation as a very important
step to ensure the best interests of children, noting that these actions will sensitize teachers and heads
of educational institutions on the importance of ensuring the right to privacy of children and the need
to implement the provisions of personal data protection legislation.
It is necessary to mention that the Center, in the reference period, intervened with more
decisions to suspend personal data processing operations as a result of examining breaches of
legislation in education field:
during the baccalaureate session of 2012, when the video surveillance initiative was launched
12
without notifying the national supervisory authority of personal data protection, as well as without
implementing appropriate technical and organizational measures in order to respect the confidentiality
and security of processing this category of personal data;
during the implementation of the Education Management Information System, which has not
been registered in the Register of evidence of the personal data controllers, not being shown to the
Center the materials and detailed information that would argue the need for collection and processing
special categories of personal data, including that would specify organizational and technical measures
taken to ensure personal data protection, intended to be processed, storage term and retention of
personal data collected, as well as actions taken on them after the expiry of processing term or
reaching the goals of processing; technical, program and applicative means designed to ensure the
integrity and confidentiality of information during processing, storage and transmission by means of
communication channels;
during implementation, by some educational institutions, of the information systems of
automated processing of personal data aimed at students, to ensure access control on the territory, as
well as to benefit from certain discounts on purchasing commercial products using the same access
card.
13
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE REPUBLIC OF MOLDOVA
Dear Mr Director,
In relation to the received request, We would like to send the ISS of RM vision on the status of personal data protection in the Republic of Moldova.
Sincerely yours,
Mihai BALAN Director
"Intelligence and Security Service welcomes the development and implementation of
appropriate legal framework for the protection of personal data in order to ensure the rights and
freedoms of individuals. The need for such a law in a democratic society is not disputed.
At the same time we disagree with reference to the method the law was edited. However,
according to the Service's opinion, ensuring the rights and freedoms of a person must not infringe the
rights, freedoms and, in particular, the safety of other citizens, the state and society as a whole.
We appreciate the importance of the sector managed by the National Center for Personal
Data Protection, noting, however, that its activity must not affect the activity of providing security,
defense and public order (law enforcement activity), but rather help prevent possible cases of
unsanctioned access of data protected by third structures (private, commercial, criminal groups, and
so on), and assessments made to be an example of depth and fairness.
The Service exposes categorically against attempts to interfere in the work force, investigation
and prosecution, assigned by law to law enforcement bodies, qualifying them as actions that may
result in disclosure of the results of many special investigations activities and criminal prosecution,
other information attributable to the state secret, which overall may prejudice public order, national
security, crime prevention and detection, credibility with foreign partners, not the least being the
safety of citizens and society, and that we want to believe, is not coordinated by hostile forces,
especially from the outside.
Along with the provisions of national legislation, often neglected by the authority empowered
to ensure personal data protection (repeatedly mentioned issues, including by civil society, foreign
investors, especially American Chamber of Commerce in the Republic of Moldova), we reiterate that
14
the current wording of Law no. 133 of 8 July 2011 on personal data protection comes into
contradiction with the provisions of sections 13, 16, 43 and Article 3, paragraph 2 of Directive
95/46/EC, which allegedly aims to realize. According to those provisions, this Directive shall not
apply to the processing of personal data implemented on activity outside the scope of Community law,
such as those provided for in Titles V and VI of the EU Treaty and in any case processing operations
concerning public security, defense, State security (including the economic well-being of the State
when the processing operations are related to State security matters) and the activities of the State in
areas of criminal law.
In this context, we strongly believe that the adoption of the law project regarding amending
Law no. 133 of 8 July 2011, prepared by ISS, will contribute significantly to ensuring appropriate
conditions for the adequate protection of the information defined as state secret / prosecution secret
(including information on state security, national defense, public order, crime prevention and
counteraction ), guaranteeing at the same time, against arbitrary processing of personal data.
To exclude abuses and prevent irregularities, the Service has developed an internal
mechanism to minimize the danger of disclosure of personal data and gives assurances about the
legality and validity of the actions taken in this regard, reiterating that one of the main tasks,
according to the law in force, is the implementation of measures aimed at detecting, preventing and
countering any action that, under the law, endangers state, public and individual security, including
actions that breach the rights and liberties of citizens and endanger the security of the state – a
responsability that ISS will strongly further realize. "
15
In the Annual Report for 2011, the Center has alerted the society on some problems ascertained
during the control over the legality of the automated processing operations, by consulting and
extracting by the state agents, with the purpose of performing the operative investigative and criminal
investigation activities of personal data stored in the main state informational resources. At that
moment, the situation was the following: some of the authorized users within several public authorities
were collecting the personal data stored in the state registers without having the legal grounds for
doing it, without determined purposes and without a proper registration of such actions, being
impossible for them to justify, upon Center’s request, the necessity of several operations of personal
data processing. The most relevant example, that shows an obvious discrepancy of amount of cases
when the operations of consulting and extracting the personal data cannot be justified was referring to
the Intelligence and Security Service1, but it was not specific just for this public authority.
Considering the ascertainment and proposals made at that time and that on 14 April 2012 has
become effective the Law on personal data protection, being already applicable the Center’s
requirements on the ensurance of personal data security during their processing in the personal data
information systems, the Center considered necessary to present the information on the current state of
affairs in this regard, that meanwhile has developed under other dimensions.
It ought to be mentioned, that as a result of the efforts made by the Parliament, Presidency and
Government, the regulatory and legislative framework regulating the area of personal data protection
has been significantly improved (a fact that was also recognised by the European partners), that
established conditions for the strengthening of the Center’s institutional and administrative capacities
with the view of ensuring the control over the implementation of the legislative norms, including by
interesting the relevant authorities in changing their institutional policy regarding the need to ensure an
adequate regime of processing the personal data necessary for reaching the purpose and enforcement
of sectorial competences.
Most of authorities have initiated specific activities for the establishment of the conditions
necessary for the implementation of the legislative provisions on personal data protection, but also for
the ensurance of an internal control over the data protection operations. Under these circumstances,
analysing the information provided by the data controller managing the State Register of Population, the
Center is satisfied to ascertain that the situation starts to change, and this happened not only as a result
of the numerous awareness raising campaigns, workshops, conferences, seminars and round tables
organized by the Center in partnership with the European experts. It is worth mentioning that within
1 Based on the information provided by S.E.„CRIS „Registru", the authorised users from ISS, during 01.01.2010 - 31.12.2010, have accessed 129 341 times the State Register of Population and in 22 373 cases, the personal file has been extracted. In the same time, the ISS has informed the Center only about 39. 945 accesses of the State Register of Population, being unable to legally justify the other 89 395 accesses.
16
some authorities specialized personal data protection subdivisions have started their activity. For
example, within ISS was established and efficiently operates the institutional Commission for the
verification of the legality of accessing the personal data, within Ministry of Internal Affairs (MIA)
was established the Personal Data Protection Service etc.
The situation dynamics is presented in Annex no.1 to the Progress Report, being obvious that
the use of one of most important state information resources, that concentrates a crucial amount of
personal data for the purpose of efficient management of public tasks, is not being conducted in a non-
controlled manner any more, in order to find out when is the date of birth of an acquaintance, or for
other personal reasons. Exceptionally, but in some cases it has been ascertained that the amount of
accesses and extractions of personal data have dropped down by 90 %.
Generally, based on the information provided in Annex no.2 to the Progress Report, it is
obvious a significant decrease of the amount of operations of consulting the personal data stored in the
State Register of Population. Thus, if during 2010 there have been carried out 1789516 operations of
their consulting, than during 11 months of 2012 it have been carried out only 1130243 operations,
which is 650 thousand operations less (-30%).
Despite these important statistics, the Center still ascertains the existence of some vicious
practices, divided into two categories, as follows:
I. Usage by some servants of the service statute and other public resources in order to check whether they make the object of a legal investigation of the law enforcement authorities
One of the vicious practices refers to the situation when public authorities’ representatives
holding the legal right to request and receive specific information from the public and private
institutions, require the data controllers, particularly S.E.„CRIS„ Registru”, the provision of
information on the entities that have consulted (accessed) the personal data directly referring to them
that are stored in the State Register of Population. For example, during the year 2012, the Center has
received inquiries, signed by middle level MIA decision takers, to which were annexed the information
received from S.E.CRIS „Registru” on the authorised users and entities that have carried out
consultancy operations and have extracted the personal files of some subordinated police officers.
Moreover, from the annexed documents it became obvious that to these police officers has already
been acknowledged the information on public or private entities that have consulted and extracted their
data, on the authorised users that have performed these operations, including the date, month, year and
time of operations.
These situations imply a concern, from the perspective that under such circumstances, the
employees of the law enforcement authorities find out easily and promptly if they make the object of
special investigative activities, or of prosecutor’s investigation, this implying the real risk of
compromising the investigation. This is the conclusion of the materials accumulated during the checks
17
run by the Center, when it was acknowledged that many entities from the list of those who have
consulted and extracted personal data of persons mentioned in MIA inquiries, have classified some
information presented to the Center, requiring the restriction of the right on informing the subjects for
determined periods.
II. Refusal to present the information requested by the Center under the pretext that it makes the object of a state secret, as way as authorities’ breach of the rights to subjects’ information and access to personal data by unjustified classification of information
During the control activities and examination of complaints lodged during 2012, the Center has
ascertained the continuous occurrence of situations when some authorities empowered to carry out
special investigative activities, infringe the person’s right to have access to the information on
processing the personal data referring to him/her, including after the elimination of circumstances that
may assume the situation when the objective of the police activity is injured.
Thus, even if the art.15 of the Law on personal data protection (effective since 14 April 2012),
stipulates that upon the termination of the situation that has justified the limitation of the right to
information and of access of personal data subjects2, the data controllers will undertake the required
actions in order to ensure the observance of these rights; that the processing of personal data for the
given purposes cannot exceed the period necessary for the reaching of the followed purpose; and that
the public authorities shall register the application of such exceptions and within 10 days to inform the
Center on the processed personal data under the conditions of this article – in practice, it have aroused
difficulties in the enforcement of this legal provision.
We reiterate that in the European Council’s terms, the restriction activities are necessary in a
democratic society, solely if they are justified by a pressing social need and if the modality of their
implementation - limitation of some right of the persons – is proportionated to the purpose followed.
Any exceptional or abusive widening of the categories of information that makes the object of the
personal data, by their unjustified inclusion in the category of the state secret, makes an obstruction
and illegal restriction of the subjects’ right to access, set forth by Convention for the protection of
individuals with regard to automatic processing of personal data, regarding supervisory authorities and
transborder data flows.
Even though, sometimes, specific public entities, under the pretext that this information may,
allegedly make the object of a state secret, refuse to inform the Center on the processed personal data
under the conditions of the art.15 of the aforementioned law, including the refusal to reveal the legal
ground for the consulting (access) and extraction of personal data stored personal in main state
2 When the processing of personal data is carried out in the framework of some activities intended for the prevention and investigation of crimes, execution of the conviction sentences and of other criminal procedure or contravention activities, with the aim of national defence, state security or maintenance of public order, protection of rights and freedoms of personal data subjects or of other persons, if by their enforcement is harmed the action’s efficiency or purpose followed in exercising the legal competence of the public authorities.
18
information resources, which creates certain difficulties in the process of controlling the legality of
their processing in line with the provisions of the Law on personal data protection, but also the
observance of the period of examination of complaints.
Additionally, during the examination of complaints from a number of subjects, which in 2012
asked for the verification of the legality of processing operations via the method of consultation
(access) and use of their personal data, stored in main State Information Resources, the Center inquired
the authorities which had carried out these operations to submit the information on the purpose and the
legal basis for the processing of personal data. As in some cases, the information provided by the
Intelligence and Security Service (ISS) showed directly that a part of consultation (access) operations
and retrieval of personal data were carried out with breaches of the legal norms regulating the
principles of personal data protection and were classified illegitimately, the Center asked the issuer for
a declassification thereof. As grounds for submitting the request on declassification served the
provisions of art.8 para.(1) let.a) and f) of the Law on State Secret, which expressly sets forth that can
not be defined as state secrets and can not be classified as data on breaches of human and citizen rights
and freedoms, as well as cases of infringement of law committed by public authorities and their
officials. However, ISS refused to declassify the data disputed and stated that it was not possible to
determine the purpose and the legal basis of the access, since the persons who accessed the data do not
work any longer within the Service and the materials on which the accesses were based could not be
identified, however, considering that the absence of records in the Register of accesses evidence does
not prove the fact that access operations were carried out illegitimately and with breaches of human
rights and freedoms.
Taking into account that data referring to certain aspects of breach of fundamental human rights
and freedoms in terms of personal data processing was groundlessly and illegally classified against the
provisions of art. 8 para.(1) let.a) and f) of the Law on State Secret, and that the absence of materials
on which access operations (consultation) of this data was based, including the retrieval via the
method of printing personal files whose location at the moment is not identified, demonstrate
that there are irregularities in the process of collection and storing of personal data. Thus, being
groundlessly and illegally put under the cover of the provisions of the Law on State Secret, they make
possible an eventual condemnation of the Republic of Moldova by the European Court of Human
Rights - as in the case of Rotaru versus Romania – the Center, in 6 cases, has ascertained the refuse for
declassification by bringing actions before administrative courts. In 4 cases, the Chisinau Court of
Appeal, as the first instance court, rejected the requests of the Center on the grounds that the breach of
the rights of personal data subjects was not proved (at the moment they are disputed at the Supreme
Court of Justice), other are being examined.
19
Nevertheless, in 2012, for the first time since the foundation, representatives of the Center started
to participate in courts, administrative cases, initiated as fact-finding agent in accordance with the
provisions of art.4234 of the Contravention Code, but also in proceedings initiated in accordance with
the provisions of the Law on administrative court, aiming to constrain some authorities to declassify
the data deemed as classified illegally.
For instance, 4 administrative proceedings have been initiated since 16 June 2012, when the
legal provisions empowering the Center with competences of a fact-finding agent became effective. In
one of the cases, the protocol was initiated against an official who provided unauthentic data to the
Center, and other 3 cases referred to the refuse of officials to provide information on the purpose and
the legal basis for consultation and processing of an individual's personal data, which were stored in
the State Register of Population under the pretext that the actions of data processing were carried out
within an operative and investigative activity, the results of which would represent a state secret.
As a result, the court, in the first case, ascertained the guilt of the person for having committed
the offence envisaged in art. 742 para.(1) of the Contravention Code (provision of unauthentic or
incomplete data), and in other 3 – ruled the decisions which ascertained the guilt of persons for having
committed offences envisaged in art.742 para.(1) of the Contravention Code (refuse to provide data or
documents requested by the Center in the process of performing responsibilities of control), applying
in all cases the punishments in the from of a fine in the amount of 50 conventional units.
It is to be specified that the decisions ruled both in administrative cases and by administrative
courts are very important, as they represent a response to Center’s attempts aimed at ensuring the
implementation of the Law on Personal Data Protection. The scope of this Law covers also personal
data processing defined in the prescribed manner as state secret, carried out within the actions of
prevention and investigation of crimes, enforcement of conviction sentences, and other actions within
the criminal or administrative procedure in accordance with the law. Ultimately, it is intended to create
an uniform judicial practice, which would clarify the procedures of classifying the data on operations
of personal data processing carried out by the concerned authorities entitled to undertake special
investigative activities, as well as the procedures aimed at ensuing observance of individual’s right to
information and access.
Concomitantly, it was determined that the participation of the Center’s representatives in 35
court hearings, at different levels, in the process of examination of administrative cases and
administrative courts’ proceedings require substantial efforts and human resources from both the
Evidence and Control Department (as the fact-finding agents) and the Legal and Public Relations
Department in connection with administrative courts’ cases. This pressure will continue to increase,
taking into consideration that the decisions issued by the Center as a result of examination of citizens’
20
complaints, but also as a result of examination of the applications for registration as personal data
controllers are subject to appeal in administrative courts.
The decisions of the Center have been appealed within the reported period in 2 cases only, in
one case the decision remained effective and in other case the court did not rule any decision.
1.2 Registration of controllers, databases, information and data procession systems which
store and process personal data After its official launch on 15 August 2012, the Automated Information System “The Register of
Evidence of the Personal Data Controllers” has initiated the activity with the view of implementing the
provisions of the Law on Personal Data Protection. The art.23 of the Law stipulates that the controllers
are obliged to notify the Center personally or through their legal representatives, prior to the
processing of personal data intended for a certain purpose. It is to be highlighted that where the
registration does not comply with the manner prescribed, art.741 para.(2) of the Contravention Code
envisages administrative liability3.
The registration of controllers and changes in the data included into the Register of Evidence of
the Personal Data Controllers is performed free of charge, including the on-line registration; the
situation as of 31 December 2012 is presented in the table below:
Table no.2
Period Number of registered controllers
Number of databases, information and data procession systems which store and process personal data
Number of notifications which are in the process of examination
Number of refusals related to the applications for registration
2009 0 0 0 0 2010 0 0 0 0 2011 0 0 0 0 2012 17 31 5 1
Apart from mediatisation actions, the Center sent on 15 September 2012, to major personal data
controllers from these sectors: banking, educational, medical, judicial, communications, public
administration, etc., a circular letter, informing about the launch of the information system “The
3 Art.741 paragraph (2) of the Contravention Code: processing of personal data without a notification and/or authorisation of the authority for control in the field of personal data processing, when the notification or the authorisation is mandatory, as well as processing of personal data by a controller which is not registered in the prescribed manner, shall be subject to a fine of 150 conventional units applied to an individual, a fine from 200 to 500 conventional units applied to a legal entity, or to the deprivation, in both cases, of the right to carry out an activity for a period of 3 months up to one year.
21
Register of Evidence of the Personal Data Controllers”. Also, the Center informed about the fact that
in accordance with the provisions of art. 23 and 28 of the Law on Personal Data Protection controllers
are obliged to notify the National Authority for Personal Data Protection regarding the operations of
personal data processing intended to serve a purpose as well as to provide the Center with information
regarding the implementation of an institutional security policy according to the Requirements for
ensuring personal data security during the processing within personal data information systems.
The controllers were explicitly informed that the procedures of notification and
registration are carried out by personal data controller or by the person authorised by them for
each system of personal data evidence separately, through an application accessed via the
Internet page www.registru.datepersonale.md in accordance with the provisions of art. 23-28 of the
Law on Personal Data Protection and the Regulation on the Register of Evidence of the Personal
Data Controllers, approved by the Decision of the Government no. 296 dated 15 May 2012.
However, the number of personal data controllers and evidence systems registered at the
moment does not allow doing a systemic analysis of problems or deficiencies in this field.
Nevertheless, the Center determined that a big number of public and private entities are in the process
of finalization of internal procedures on the inventory of information and data procession systems
which process personal data, of the categories of processed data, as well as in the process of
formalization of organisational and technical measures implemented in order to ensure confidentiality
and security of operations, for the purposes of submitting applications for registration.
1.3 Examination of petitions and other requests of personal data subjects
In accordance with the provisions of art. 27 of the Law on Personal Data Protection, personal
data subjects who consider that the processing of their personal data does not comply with the
requirements of the law, may address a complaint to the Center within 30 days from the moment when
the breach was detected. In the process of settling the complaint, the Center may hear the personal data
subject, the controller, and, as the case may be, the operator and the witnesses. The Center may also
order an unannounced control. As a result, it issues a grounded decision either on no breaches of legal
provisions or on the suspensions of personal data processing operations, or on rectification, blocking or
destruction of inaccurate data or obtained unlawfully.
At the same time, any person who has suffered damage as a result of an unlawful processing
operation of personal data or his rights and interests guaranteed by this law have been breached, shall
have the right to refer in a court to repair the material and moral damages.
In this context, having legal competences to examine the complaints of personal data subjects,
the employees of the Center examined 214 petitions and requests during 2012 (almost 3 times the
22
number compared to 2011 and 10 more compared to 2010), of those 98 were admitted, 5 rejected, and
in 111 cases respective explanations were provided.
Table no.3
Compared period
Examined petitions
of them admitted /refused/
explanations
Acts of reaction
Controls initiated on the
basis of petitions
Decisions on termination of personal
data processing operations
Initiated administrative
proceedings
Procedures within
administrative courts
Year 2009 14 4 1 9 4 1 0 0
Year 2010 21 17 1 3 8 1 0 0
Year 2011 90 42 13 35 29 - - -
Year 2012 214 98 5 111 69 - 4 6
In 69 cases, the petitions and requests addressed have served as grounds for initiation by the
Center of controls over the legality of personal data processing operations. In the situation when the
controls were initiated on the basis of petitions/requests of individuals, 2 decisions of suspension of
personal data processing operations were given.
In 129 de cases, persons requested that the Center perform control over the legality of
operations of consultation and retrieval of their personal data, stored in different state informational
resources; personal data subjects expressed their right to opposition in 66 petitions and other requests,
and they were explained the correct way of practising this right; in 5 cases personal data subjects
requested the right to intervention to be observed (modification, erasure, update of personal data, etc.),
and in 14 cases – they referred to other problems.
23
CHAPTER II LEGISLATIVE DRAFTING ACTIVITY, CONSULTATION AND APPROVAL OF
ELABORATED PROJECTS
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE REPUBLIC OF MOLDOVA
Anatolie MUNTEANU Parliamentary advocate, Director of the Center for Human Rights in Moldova
„The beginning of '60 has seen rapid progress in the field of electronic data, and first computers allowed governments and big corporations to create their own databases in order to improve and enhance the collection and processing of personal data. This fact has resulted in a clear tendency of massive electronic storage of data with regard to individual’s private life. Taking into consideration this tendency, the Council of Europe decided to establish a framework of specific principles and standards, aiming to avoid disloyalty in the process of collection and processing of personal data. Thus, in 1981, after four years of negotiations, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as Convention 108, was signed. On the basis of this Convention, the Parties shall take the necessary measures in their national law to give effect to the basic principles set out in the Convention, and in particular with regard to personal data of all individuals on their territory. These principles include the lawful and fair processing of data stored for specific and legitimate purposes and shall not be used in a way incompatible with those purposes.
Meanwhile, the social and economic development has resulted in more comprehensive forms of organisation, management and production that are based on strong processing systems. In these circumstances, the individual became an active agent of the “information society”, which, in its turn, may affect more significantly the individual’s private life. This evolution represents a considerable challenge in terms of personal data protection – an extremely important and relatively new sphere in legislative framework of the Republic of Moldova. Its content focuses, generally, on the right of an individual to have his/her identity protected and on the correlative responsibility of the state to adopt adequate measures in order to ensure effective protection. For this purpose, in the Republic of Moldova was brought into existence a public autonomous authority having such competences of control – the National Center for Personal Data Protection, which carries out its responsibilities independently from any public authority or private law subject. Through the creation of this Center
24
was implemented the Acquis represented by Convention 108 regulating the general legal framework on personal data protection in Europe.
Nowadays, the Council of Europe has acknowledged that European citizens generally are not informed about the matters related to personal data protection, about their rights in this regard and legal procedures which could be used in order to practise these rights. Neither in the Republic of Moldova citizens are so far aware of the importance of the right to privacy and do not conceive it as an inherent right of the human being, which imposes the state the obligation not to intrude only, but also positive obligations requiring from authorities in particular to take reasonable and adequate measures to protect individual’s rights. Considering this, the National Center for Personal Data Protection undertakes to inform the society about the main problems and concerns in the field of human rights protection with regard to processing of personal data. I highly appreciate these activities of the Center that offer guarantees for observing the right to privacy of each individual”.
25
2.1 Harmonization of regulatory and legislative framework governing the personal data
protection field
With the scope to achieve the goals set out at the beginning of 2012, it is required to introduce
more elements related to this area and corresponding to the conditions necessary for the National data
protection control authority to be able to develop the planned activities.
Thus:
Beginning with the 01 January 2012, the Additional Protocol to the Convention for the
protection of individuals with regard to automatic processing of personal data is applicable for our
country; it is related to the authorities on data transfer flows surveillance and has been adopted in
Strasbourg on 08 November 2001 and ratified by the Parliament of the Republic of Moldova by Law
no. 110 as of 09 June 2011 (Official Monitor nr.103-106/274 as of 24 June 2011). This international
instrument specifies the state of national control agencies in the area of data protection, that will be
performing its attributions in complete independence – this is a constituent element of the effective
protection of persons in relation to personal data processing and legal regime of trans-border personal
data flows tranfer to the recipients, that are not subject to jurisdiction of any of the Conventions’
Party;
On 14 April 2012 the new version of Law no. 133 as of 08 July 2011 on personal data
protection came into force, its draft was developed in compliance with the provisions of the
Convention no. 1084 and the Directive 95/46/EC on the protection of individuals with regard to the
processing of personal data and on the free movement of such data. The new version of this legislative
document ( mainly Law no. 17-XVI as of 15 February 2007 on personal data protection) spesifies the
state and the components of the Center related to establishment of contraventional liability for breach
of legislation on personal data protection; establishes the mechanisms of ensuring financial
independence of the Center, mainly in elaboration and managing the budget of the authority, including
the possibility of the Center to regulate certain aspects related to personal data protection legislatively
at the institutional level; has established the responsibility of the personal data controllers to inform the
Center before starting operations on personal data processing; regulates the mechanism of preliminary
control in cases when personal data represents special risk for rights and liberties of personal data 4 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention nr.108), is the main legal tool specially regulating personal data protection area, which scope is to guarantee each individual on the territory of the states parties, whateter their citizenship and residence is, respect of their fundamental rights and liberties, and, especially, right for private life, as related to automatic personal data processing. This International Treaty establishes the basic principles of data protection, conditions and guarantees in cases of trans-border personal data flows, cooperation between the parties, the role of consultative Committee consisting of representatives of states parties.
26
subjects; regulates the procedure of processing the complains submitted by the personal data subjects;
regulates the possibility of trans-border transfer of personal data under situation when there exists the
contractual clause in this regard; envisages in some chapter the rights of personal data subjects;
regulates the procedure on personal data processing through identification of procedural coercive
measures, criminal liabilities on crimes or contraventions related to influencing state of health, etc.;
The Law no. 208 as of 21 October 2011 on amending and completing some legislative
acts, which was came into effect on June 16th, 2012, namely:
- Regulation of the National Center for Personal Data Protection approved by Law no. 182-XVI
as of 10 July 2008 (through specification of the competences and attributions of the National personal
data protection authorities);
- Law on state fee ( on the exempt of applicants from the obligation to pay state taxes in case
of infringement of personal data protection law);
- Law on access to information (excluding ambiguous provisions on the categories of
information exempted from the need to be confidentially treated);
- Law on advocacy ( by linking its provisions to the rules of Law on personal data protection);
- Law on salarization system in budgetary sector (through evaluation of the management and
some Center’s representatives salaries in relation to other public authorities with the similar status).
- Contravention Code (by establishing contraventional liability for violation of the legislation
on personal data protection and empowering the Center with the competences of fact-finding
authority). It became possible for the Center’s representatives being fact-finding officer to be able to
apply contraventional procedures for the following actions envisaged by the Contravention Code
starting with 16th of June 2012: I. Article 741. Violation of law on personal data protection when processing personal data (1) Non-respecting the requirements in relation to personal data security when processing them in frames of personal
data information systems shall be punishable by a fine of 150 conventional units for individuals and by a fine of 200 to 500 conventional
units for legal entities with or without deprivation, in both cases, of the right to lead certain activities for a period of 3 months up to one year.
(2) Processing personal data without notice and / or approval by the authority responsible for control in the area of personal data processing when it is required for the service to obligatory obtain authorization, including due processing of personal data by an unregistered controller
shall be punishable by a fine of 150 conventional units for individuals and by a fine of 200 to 500 conventional units for legal entities with or without deprivation, in both cases, of the right to lead certain activities for a period of 3 months up to one year.
(3) Infringement of personal data subject’s rights to receive information, have access to personal data, intervene
into personal data, shall be opposed, informed and shall not be subject of the individual decisions shall be punishable by a fine of 150 conventional units for individuals and by a fine of 200 to 500 conventional
units for legal entities with or without deprivation, in both cases, of the right to lead certain activities for a period of 3 months up to one year.
(4) Breach of rights for personal data storage and usage
27
shall be punishable by a fine of 150 conventional units for individuals and by a fine of 200 to 500 conventional units for legal entities with or without deprivation, in both cases, of the right to lead certain activities for a period of 3 months up to one year.
(5) Trans-border transfer of personal data by infringement of law on personal data protection shall be punishable by a fine of 150 conventional units for individuals and by a fine of 200 to 500 conventional
units for legal entities with or without deprivation, in both cases, of the right to lead certain activities for a period of 3 months up to one year.
II. Article 742. Refusal to provide information or impeding access of the National Center for Personal Data
Protection personnel (1) Refusal to provide information or requested documents to the National Center for Personal Data Protection in
the process of performing attributions on control, presentation of the unauthentic or incomplete information as well as non-presentation of the requested information and documents in terms stipulated by law
shall be punishable with a fine of 50 to 100 conventional units for individuals and by a fine of 100 to 500 conventional units applicable for legal entities.
(2) Impeding access of the National Center for Personal Data Protection staff entitled with the control functions to the premises or territory where personal data evidence system is located, as well as to personal data processed by controllers and/or processors, to the processing equipment, to programs and applications, to any document or registration referring to personal data processing
shall be punishable with a fine of 50 to 100 conventional units for individual and by a fine of 200 to 500 conventional units applicable for legal entities.
III. Article 743. Non-implementation of the decisions of the National Center for Personal Data Protection Non-implementation in the established terms of the Decision of the National Center for Personal Data Protection as
regards to legal rehabilitation of the personal data subject, including suspension or termination of personal data processing, blocking, partial or complete distruction of personal data processing by infrindging the law on personal data protection.
shall be punishable with a fine of 50 up to 150 conventional units for individual and by a fine of 200 up to 500 conventional units applicable for legal entities with or without deprivation, in both cases, of the right to lead certain activities for a period of 3 months up to one year.
On 15 May 2012 the Regulation on Registry of evidence of the personal data controllers
was approved by the Government, that made it possible on 15 August 2012 to elaborate and officially
launch the Automated Information System „Registry of evidence of the personal data controllers”
through the Center’s competition on electronic governance; the costs were fully covered by the
Budgetary Fund „Electronic Moldova 2011”. This action ensures the application of the provisions of
Law on personal data protection, according to which the personal data controller shall notify the
National Authority on personal data protection before starting personal data processing. The Registry,
managed and administrated by the Center, is the information system that allows online registration and
evidence of all personal data controllers, data bases, informational and information systems, in which
personal data are stored and processed.
This IT-solution offers public web-interface that allows access and visualization of public
information as regards to personal data controllers, registered information and informational systems.
The achieved benefits resulted from the implementation of registry consist in increasing efficiency and
transparency of the Center’s activity, reduction of inconvenience related to the process of registration
requests’ acceptance, modification or striking the information out of the Registry; ensuring the
possibility of eletronic data exchange; advertising services on informing and online processing of the
requests; reducing costs linked with processing requests of personal data controllers; reducing costs
28
related with processing of handwritten information by switching into information processing
exclusively in digital format.
At the same time, it is required to mention that within the reporting period other important
projects have been implemented, namely:
- Draft of the National Strategy on personal data protection. For elaboration of this document’s
draft, there were invited and accepted the invitation to participate the representatives of the
Commission on national security, defense and public order of the Parliament of the Republic of
Moldova, Ministry of Justice, Center for Human Rights of Moldova, State Chancellery, IDIS
‚Viitorul’, Pro Marshall Center of Moldova, Non-governmental organization Pro Data Lex. At the
same time, in June 2012, the interinstitutional working group was created and started its effective
activity by the Order of the Director of the Center, having its direct task to establish necessary
directions and sectors to be reflected in the expected document and approved by the Decision of the
Parliament of the Republic of Moldova. The Working group examined the situation in this regard with
the scope to identify necessary measures and actions to be taken with the view of ensuring conditions
for implementation of the provisions of law, as well as ensuring correspoding level of personal data
protection in the Republic of Moldova. In the process of activities linked with the elaboration of this
important draft, working group members took benefit from the support and assistance of the experts of
the project financed by the European Union „Support to the Government of Moldova in the field of
anti-corruption, reform of the Ministry of Internal Affairs, including police and personal data
protection” (MIAPAC) by organizing in this regard more than 15 joint meetings. At this moment, the
draft of the Strategy was tranferred to interinstitutional working group for their proposals and
recommendations, meaning that after its finalization, it will be submitted to public discussions and
presented for approval;
- draft of the Law on amending and completing some legislative acts that are related inclusively
to the Law no. 182-XVI as of 10 July 2008 regarding the approval of the Statute, structure, staff-
limit and financial arrangements of the National Center for Personal Data Protection.
Essentially, by this project it is planned to reach the goal of ensuring the possibility to establish
the structure and quantity of personnel of the Center by the Director of the Center through
Parliamentary Decision and not by law as it is now. Thus, at the moment when Parliament approved
the Law no.133 on personal data protection as of 08 July 2011, it was agreed to include following
provisions into Art 19 para (3): ‚The Statute of the Center, its structure and staff-limit shall be
approved by the Parliament’. This wording is not sufficient taking into consideration that in present the
structure and the number of personnel of the Center are established by ordinary Law. no. 182-XVI as
of 10 July 2008, art.1 lit.b) and c);
29
- draft Law on video surveillance, initiated by a group of MPs in the Parliament of the
Republic of Moldova. This draft law, in the elaboration of which the Center’s representatives
participated, is an appropriate one and requires to be supported bearing in mind that it contains the
proposal to regulate in a normative and special way, important aspects related to personal data
protection and fundamental rights of individuals as regards personal data processing through means of
video surveillance.
2.2 Giving opinions on normative and legislative Acts
Taking into consideration the fact, that the Center is the public authority entitled with the
functions of control in the area of personal data protection, and in compliance with the provisions of
Law on normative acts of the Government and other authorities of central and local public
administration, Law on legislative acts, as well as the Decision of the Government as regards
harmonization of the legislation of the Republic of Moldova with the community legislation,
41 normative and legilative acts related to issues of human rights and freedoms protection, personal
data protection have been approved in the period of 2012, namely:
Draft of National Human Rights Action Plan for 2011-2014, as a result, the Center
proposed to include personal data protection course into Curriculum of the high schools, including
National Institute of Justice; to organize seminars and workshops with the scope to promote the idea of
sectorial normative framework harmonization with the principles and norms on personal data
protection stipulated by the Directives and Recommendations of the European Union; to amend the
Law on e-commerce, Law on civil aviation and normative acts that regulate the activity of the
competent authorities on prevention, investigation, identification or prosecution of contraventions,
implementation of justice, namely execution of sentences with the view to comply with the principles
of personal data protection;
draft Law on amending and completing the Law on preventing and combatting
information crimes;
draft Law on amending and completing the Contravention Code of the Republic of
Moldova;
draft Law on amending and completing some legislative acts, elaborated with the scope
to harmonize the legislation in force in correspondence with the provisions of Law on e-money
payment services;
draft Law on amending and completing the Family Code, Law on marital statute, Civil
Code, Civil Procedure Code, Law on local public administration by recommending to adjust some
30
norms of the draft in correspondence with the principles that regulate personal data processing,
esspecially related to trans-border transfer of personal data;
draft Law on amending and completing the Law on identification acts of the National
passport System, Law on exit from the Republic of Moldova and entry to the Republic of Moldova,
Law on training the citizens to defend their country, Law on acts of civil status, Election Code,
Concept of the automatized information system ‚Elections’, by recomendation to precisely indicate the
personal data categories that shall be processed, as well as excluding the undefinite phrase – ‚auxiliary
data’;
draft Law on amending and completing the Law on e-communication by proposing to
regulate the obligation of service suppliers to process personal data in compliance with the Law on
personal data protection;
draft Law on the activity of the Police and policeman status, by recommending to adjust
the terminology in compliance with the one used in Law on personal data protection and tranferring of
the provisions of legislative act, esspecially art. 12 - 16, 29 and 30 to the approved draft, expressive
stipulation of the obligation to ensure organizational and technical measures required for personal data
protection, as well as the obligation of the policeman to ensure confidentiality of personal data which
he/she will be familiarized with during performing service duty;
draft of the Decision of the Government on establishment of accepted values of
simbolic presents, offered to show politeness or following certain protocol as well as approval of the
Regulation as regards evaluation, evidence, storage, usage and purchase of presents;
draft of the Decision of the Government on approval of the Regulation on travel
documents, by proposing to reconsider some provisions by norms that regulate the principles on
personal data protection, as well as including the chapter that automaticaly regulates personal data
protection linked with issuance of travel documents;
draft of the Decision of the Government for approval of the Regulation as regards visa
issuance, by proposing to include some norms regulating rights of personal data subject;
draft of the Decision of the Government for amendment and modification of the of the
Decision of the Government no. 345 as of 30 April 2009 on State Registry of non-commercial
organizations, by proposing to exclude the provisions through which local public administration shall
transfer to the Ministry of Justice the copy of identification card of the association
manager/management;
31
draft of the Decision of the Government on Memorandum of Understanding between
the Republic of Moldova and the International Bank for Reconstruction and Development (IBRD) and
the International Development Association as regards promoting free access to financial data, by
proposing to include provisions in which it is clearly stipulated that the financial data tranferred to
IBRD and IDA shall be depersonalized;
draft of the Decision of the Government on amendment and modification of the of the
Decision of the Government no. 1372 as of 23 December 2005 on „compensation of medicines in
conditions of mandatory health insurance”;
draft of the Decision of the Government on approval of the amendments operated in the
of the Decision of the Government no 201 as of 11 March 2009 as regards application of the
provisions of Law on public service and the status of public servant, by proposing to exclude some
chapters from the personal files, establishing the responsibility for violation of personal data
confidential regime and excluding the possibility to store the copies of personal files within the public
authority in which the public servant was leading his activity;
draft of the Decision of the Government on amendment and modification of the of the
Decision of the Government no.1356 as of 03 December 2008 as regards ‚Social Assistance’
informational system structure, by proposing to amend the draft with the norms related to the aspect of
the implementation of legislation that regulates the area of personal data protection planned to be
processed;
draft of the Decision of the Government on approval of the Regulation on the procedure
of documents supralegalization, by proposing to regulate the terms of requests archiving, as well as
harmonization of the draft context in compliance with the provisions of the Requirements to the
personal data security during their processing in frames of informational personal data systems;
draft of the Decision of the Government on the amendment to the paragraph 48 of the
Regulation on forestry funds renting with the scope to arrange household hunting and/or recreation,
approved by the Decision of the Government no. 187 as of 20 February 2008, by proposing to apply
the regulation of the aspects related to confidentiality and personal data security processing, as well as
adjusting some norms of the provisions of the Convention on access to information;
draft of the Decision of the Government on establishment of the professional day ‚the
Day of public servant”
draft of the Decision of the Government on approval of the amendaments and
modifications operated in the Decision of the Government no. 1310 as of 31 October 2003 on
approval of the Regulation on receiving, evidence, storage, sistematization and usage of dactiloscopic
32
information and the List of functions occupied by the persons that are subject to mandatory
dactiloscopic registration in compliance with the legislation in force;
draft of the Decision of the Government on approval of the draft Law on amendment
and modification of the Law on health protection, Criminal Code, Civil Procedure Code, Enforcement
Code, Law on rights and responsibilites of the patient, Law on tuberculosis control and prophylaxis, by
proposing to make some amendments and modifications with the view of adjustment of these
legislative acts in compliance with the provisions of national legislation on personal data protection,
especially including of the provisions on the necessity to ensure the personal data confidentiality, as
well as the right of the personal data subject to receive information;
draft of the Decision of the Government on the approval of the Regulation on issuance
of the identification acts and evidence of residence in the Republic of Moldova, by proposing to
amend the draft with the provisions on mandatory personal data processing in compliance with the
Law on personal data protection, as well as proposing the possibility of signing the identification act
by minors;
draft of the Decision of the Government on the approval of models and application of
the new-type identification acts. Based on the fact that the storage of the identifications cards’
accopmanying sheets is required inclusively due to the scope of secure elections ( application of the
‚vote’ stamp), the fact, that in some circumstances, reveals the political views of the person, the Center
insisted on elaboration of separate accompanying sheet, aimed specially at making records related to
achievement by the citizen of his right to vote, thus, it could be used, for example, during five electoral
circles. Under situation when this opportunity won’t be taken, collection of copies of the identification
cards and the accompanying sheets by some entities with the scope to employ somebody or conclude
the service contract etc. will automatically include this entity in the list of personal data controllers that
process special category of personal data unjustifiedly and illegally; that fact contradicts the
fundamental principles on automatized processing of personal data, stipulated by the art. 5 of
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
and art. 4 paragraph (1) letter c) from Law on personal data protection;
draft of the Order of the Ministry of Justice on modification and amendment to the
Regulation on admission of judicial interns and internship conditions;
draft of the Order of the Ministry of Internal Affairs on approval of the Instruction on
the mode of issuance of the certificates of good conduct in its version as of 12 April 2012;
33
drafts of Metodological Norm on fraud and corruption and detailed rules on audit
sampling, elaborated by the Ministry of Finance, by proposing the introduction of the provisions
regulating confidential and secure regime of personal data processing;
draft of the „Regulation on providing information by the Documentary Department of
the State Enterprise” Center for State Information Resources ‚Registru’ by proposing harmonization of
the Regulation with the norms and principles stipulated by the Law on personal data protection,
including elimination of providing the information related to subjets’ ethnos;
Draft Regulation on personal data protection on health state of persons being in custody
of the Department of Penitentiary Institutions of the Ministry of Justice, by proposing harmonization
of some notions and syntagms with the norms regulating the state of personal data protection,
introduction of norms regulating the principles of personal data protection; rights of subjects of
personal data protection; obligation of the medical staff to store personal data confidentially; obligation
of the Department of Penitentiary Institutions of the Ministry of Justice to ensure personal data
security, etc.;
Draft of the Order of the Customs Service on approval of the Intsruction on the
procedure of requesting and issuying obligatory information on goods origin;
Draft of the Order of the Ministry of Internal Affairs on approval of the Regulation on
personal data processing by the subunits of the Ministry of Internal Affairs, by proposing revision of
some terms, cases of personal data collection, without the consent gived by the data subjects;
establishment of some precise conditions of personal data storage, inclusion of the controllers
responsibility arrising from the provisions of the Law on personal data protection into the text; revising
the volume of personal data that are intended to be processed; completion of the project on the
responsibility of the Service on personal data protection in frames of MIA; on annual basis till 31st of
January presentation to the Center of the generalized report on incidents that happened in relation to
personal data informational systems security;
Draft of the Foreign Account Tax Compliance Act (FATCA) and actions that shall be
taken with the view to ensure the mechanism of its implementation;
Draft of the Agreement between the Republic of Moldova and the Republic of Poland in
the area of social insuarance, by proposing to include the norms on providing guarantees in relation to
protection of rights of the personal data subject;
Draft of the Modal Agreement on personal data transfer, elaborated by the State Service
of Ukraine for Personal Data Protection, by proposing implementation of principles of the Decision on
34
the standard of contractual clauses for the transfer of personal data to processors established in third
countries, approved by the Decision no.2010/87/EU as of 05 February 2010;
Draft of the Agreement between the Republic of Moldova and Hungary in the area of
social security;
Draft of the Agreemenet between the Republic of Moldova and the Government of the
Kingdom of Sweden on the cooperation in the area of law implementation by proposing to include
some norms that would regulate the procedure of personal data transborder transfer, as well as rights of
the involved personal data subjects;
Draft of the Agreement on administrative cooperation between the Customs Service of
the Republic of Moldova and the European Anti-Fraud Office;
Draft of the Agreement between the Government of the Republic of Moldova and the
Government of Israel on temporary employment of citizens from the Republic of Moldova in certain
sectors in Israel State and a draft of Protocol A on its implementation, by proposing to conclude
separate chapter that would regulate personal data protection, specifically norms and principles of
personal data protection, including obligations of the Parties in relation to processed personal data;
Draft of the Agreement on nonexclusive licensing in frames of the Program ‚Safety
Oversight Facilitated Integration Aplication’ (SOFIA);
Draft of the Agreement between the Government of the Republic of Moldova and the
Government of the Republic of Montenegro on cooperation in the area of combatting organized crimes
by proposing implementation of the national legislation on the guarantees on protection of rights of
personal data protection subjects;
Draft of the Agreement between the Republic of Moldova and the Republic of Lithuania
in the area of pension insuarance, by proposing to amend the Treaty with the provisions that would
specify the right of persons to accept on request the information about tranferred or to be tranferred
data, to implement the right to access and to intervene into these data, as well as the right to address a
complain to the National personal data protection authority or to the Court, including to request
compensation in case of illegal personal data processing;
Draft of the Agrement between the Government of the Republic of Moldova and
the Government of Romania on implementation of the Police Cooperation
Convention for South-East Europe signed in Vienna on 15 May 2006, by recomending to include
the provisions that would regulate the necessity of ensuring personal data protection security, as well
as the right of personal data subjects.
35
CHAPTER III TRANSPARENCY IN DECISION MAKING PROCESS, COMMUNICATION AND PUBLIC
RELATIONS, PROMOTION OF THE FIELDS BY INFORMING CITIZENS
3.1 Mediatization of the Center's activity
Providing information to the public and civil society continue to be conducted largely through
the official page of authority: www.datepersonale.md , where are published information on European
and national legislation governing personal data protection field, drafts of normative acts developed
and promoted by the Center, the latest news with reference to personal data protection events held
nationally and internationally, on specific examined cases, sectoral analyzes performed, the
organizational structure and contact details of the national supervisory authority for personal data
protection and other information of public interest, being already recorded over 630 000 hits.
At the same time, the representatives of the Center participated in 6 TV shows and 5 radio
transmissions, gave 3 interviews, where were discussed issues that concern the protection of personal
data, in particular: personal data security on internet, telephone tapping, personal data protection
principles within population documentation etc.
In parallel, 81 articles and press releases were published that covered important aspects of the
Center's activity. Press agencies, taking over press releases and messages of the Center, reflected its
activity in 17 articles, stressing the importance of personal data protection and the rights of citizens in
this area.
For example, in an interview with the newspaper "Tribuna" on 13 November 2012, Mr. Vitalie
Paniş, director of the Center, answering to the questions, among others, mentioned:
"... Tribuna: In practical terms, the personal data of citizens of the Republic of Moldova, are
protected or not?
Vitalie Paniş: To answer the question there are to be taken into account two important aspects:
the legal framework and the level of legal culture of the population. If at legislation sector, the
situation is quite good, being offered sufficient guarantees for privacy of persons to be respected, in
terms of public awareness of the need to protect personal data, the situation is not so good. It is
important that each data subject to be aware that the disclosure of personal data to a controller, friend
or relative, in some circumstances, present a possible risk of interference with privacy. In this respect,
although personal data controllers, in most, ensures the privacy and security of personal data
processed, the data subject itself often generates uncontrolled disclosure. For example, failure to
maintain identity card in a place away from the eyes of third parties or annexation of copied identity
documents from different applications or petitions can lead to so-called "identity theft" when the
subject of these data will be put in a position to pay uncontracted loans, and so on, and then, bz
means of the court to show that he did not sign any transactions or contracts. Therefore, the main role
36
in the protection of personal data is played by the data subject and the questions "why?", "what for?",
"on what basis?", "for what period of time?", "whom? "," what guarantees are offered?" must be
addressed without hesitation to legal entities and individuals, including state authorities when these
aceste entities collect personal data. Person's attitude to his personal data is to be just as careful as
regarding property.
Tribuna: What problems is facing the Center in implementing the reforms proposed?
Vitalie Paniş: One of the problem faced by most public authorities, including the Center, is
insufficient funds that would allow the development of promotion activities of the domain at the
required level. Until now, due to the involvement of European officials and with the support of several
non-governmental organizations, we have been able to conduct training courses for health
professionals and some awareness actions - advertising spots on radio and flash mob. These actions,
however, are not sufficient, being necessary to attract the permanent attention of population on the
need to protect personal data. Another problem is the lack of qualified personnel in the protection of
personal data field, but also their fluctuation .... "
The Center concluded that the interaction with representatives of the "fourth power" and
participation in TV and radio programs, allows to identify the concerns or fears of contemporary
society. For example: Within the TV show Vox Powered from 06 February 2012 on "FREE TO
CHOOSE ON THE INTERNET" (www.publica.md), participants declared that the Internet is a great
advancement of humanity, today, many people can not imagine their life without cyberspace. It gives
more information and freedom of speech. However, it can be dangerous. In fact, the Internet is not
dangerous, but the way we use it and the information we consume. Just here appears the problem:
being covered of anonymity, people usually are not responsible in cyberspace. "Responsibility, it
really does not exist in the online environment. People are hiding anonymously and think that they can
afford anything," said the writer Nicoleta Esinencu. "When we talk about the internet, actually we are
talking about a broken mirror that shows us who we are. If the mirror is broken, it is distorted, we have
to wail on us, not on the Internet," said the psychologist Ian Feldman. The representative from
Evidence and control Department of the Center mentioned that these technologies make it possible to
monitor and control the person, requiring the regulation of these processes by the existence of national
laws. As a result of the televoting, the televiewers showed almost diametrically opposed views. While
48 percent believe that the Internet is a threat, 52 percent said that the use of the Internet is not
dangerous.
Taking into consideration the findings made as a result of participation in this program, the
Center placed on http://www.datepersonale.md/md/newslst/1211/1/4343/ instructions covering aspects of
37
children's interaction with the Internet "CHILDREN and the INTERNET ", prepared in accordance
with Directive 95/46/EC and Working Paper 2/2009 on the protection of personal data of children
adopted by the Working Group "Article 29" on data protection and founded on the belief that education
and responsibility are essential for the protection of personal data aimed at children.
Instructions are intended to answer questions about: Rules for keeping personal information
such as: name, password, address and home phone number, parents' work place and phone number or
phone number of the school where minors are studying; on behavior with images or photos of loved
ones; those on correspondence received or sent; mail chat, forums, social networking, and so on; on
how to complete the registration forms on some sites, including the importance of passwords and
antivirus programs. Instructions are aimed not only at minors, comprising sections like "Tips for
Parents", "What can you do to ensure the safety of children on the Internet", "Creating at home, a
custom profile of your child," "School role within personal data protection "," Student files "," School
life "," Installing video surveillance cameras "," Health "," School web sites "," Photos "," School
statistics and other studies ", etc..
38
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE REPUBLIC OF MOLDOVA
Liubomir Chiriac Executive Director of IDIS “Viitorul” Dr. habilitated in physics and mathematics
IDIS “Viitorul” welcomes the initiatives and activities undertaken in the course of this year by the National Center for Personal Data Protection (NCPDP). Here we should also mention the launching of the Register of evidence of the personal data controllers, which ensures the implementation of provisions of the Law on personal data protection.
At the same time, we appreciate the Center’s initiative on raising discussions upon including a chapter on personal data protection into the Constitution, as it is done in other countries.
We express our hope for continuation of the implementation process of “Open Governments” and “Open Data” projects whereby ensuring decisional transparency and fighting corruption. We consider that specific interest should be paid to how personal data should be processed, as well as to the way of how social networks users’ rights are protected. At the same time, it would be opportune and necessary to continue the campaign of informing physical and legal entities with regard to the rights and responsibilities they have in the context of personal data protection.
With high consideration,
39
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE REPUBLIC OF MOLDOVA
Adelina LUNGU, Director of civic association “Pro DATA Lex”, Member of Consultative Council of NCPDP
“Another year has passed. The fourth one from the moment when the legislative forum of the
Republic of Moldova decided to create a separate national authority meant for ensuring protection of
a fundamental right expressly established in the Universal Declaration of Human Rights and
European Convention of Human Rights – the right of privacy. Traditionally, at the end of the year we
are tempted to draw certain conclusions, total the activities carried out in the course of the year, give
consideration to quantitative and qualitative aspects of the results obtained or failed, as well as plan
new objectives for the upcoming year. In this respect, we have recently received an absolutely
unexpected, and, in my opinion, challenging for a public authority request, to evaluate the activities of
the National Center for Personal Data Protection. This opinion should be included uncensored into its
annual progress report!
Being aware (not by hearsay) of a non-constructive attitude expressed by the majority of state
institutions managers from the Republic of Moldova towards civil society, which dares to point to their
deficiencies in executing the act of governing, I consider that only those managers who together with
their teams have truly worked with dedication and endeavour in their field of activity in the course of
the year, who have praised human and material resources strictly according to the legislation, and
who have strictly followed the law and thus have the right to request the same from the others, could
go in for such a courageous act full of openness and unlimited transparency. Therefore, as
representative of civil society and as member of Advisory Council of NCPDP, I have accepted this
mission with great pleasure and without much hesitation and I will review the most important, in my
opinion, achievements, as well as deficiencies of the Center along 2012:
1. Despite the fact that this year (as well as previous years) the Center had an austere budget,
this did not prevent them from achieving the tasks set for the current year, presented in the progress
report of the Center for 2011;
40
2. Due to promoting some well thought-out information campaigns, the level of the Center’s
visibility has considerably increased together with the rate of awareness among population regarding
personal data protection issues;
3. The automated integrated information system “Register of evidence of the personal data
controllers” was successfully implemented and the procedure of registering personal data controllers
as well as the registry system processing the personal data was launched.
4. The dynamics of unauthorized access to the personal data stored in the state information
resources has significantly improved following the allocated efforts by the Center jointly with the
central public authorities and the civil society.
5. This year the legal provisions allowing the Center to fully implement its functional duties
have entered into force.
However, in our opinion, the following are among the major deficiencies of this year over
which the Center is requested to apply a series of complex measures in order to urgently address
them:
1. The slow pace by which the owners of personal data information systems are registering
themselves within the Center as controllers.
2. The absence, so far, of a short, medium or long term national strategy and an action plan for its implementation on the protection of personal data in the Republic of Moldova.
Faithfully yours,
41
3.2 Activities of informing and promoting the protection of personal data field
In parallel, in order to provide the public with information on some aspects that concern the protection
of personal data and to promote the objectives of protecting the rights and freedoms of individuals in
personal data processing, several actions were organized and carried out during the year of 2012 under
the aegis and / or co-participation of the Center, including:
On 27 January 2012 the Center with the support of “Pro DATA Lex” NGO, the Institute for
Development and Social Initiatives (IDIS) “Viitorul”, Amnesty International Moldova and the Mayor’s
Office of Chisinau Municipality inaugurated an exhibition of
pictures/posters on the specifics of personal data protection, which was
open until 5 February 2012 in the area where the monument of Ştefan cel
Mare si Sfint is located in Chişinău. The exhibition started with a flash
mob entitled “Personal data protection – a positive obligation of the
State” wherein promotional materials were disseminated (leaflets and
calendars, specially designed for this occasion) to passers-by and answers were provided to mass-
media representatives. Concurrently, the representatives of the Center held courses on the concept of
personal data, some aspects concerning the protection of personal data, particularly regarding minors,
and disseminated promotional materials in several high schools from Chisinau municipality, attended
by approximately 450 pupils and teachers. In parallel, the subjects of personal data, representatives of
civil society, including representatives of interested mass-media institutions, had the opportunity to ask
questions and receive answers in the framework of the "Open Doors" Day, organized in the premises
of the National Authority for Personal Data Protection. On this occasion interviews were provided
which were later broadcasted on TV and radio. For the first time the Moldcell Company was involved
in the public awareness process, which, as a personal data controller, sent messages with the text
“National Center for Personal Data Protection is warning: protect your personal data and do not
disclose it to third parties! www.datepersonale.md” to 100,000 subscribers – subjects of personal data.
- The “Personal data protection within the context of the cybernetic security in the Republic of
Republic of Moldova” workshop organized by the Information and Documentation Center on NATO
from the Republic of Moldova took place on 21 June. The event was attended by: representatives of
the NATO Excellence Center in Cybernetic Defense from Estonia, Center of Special
Telecommunications, Cybernetic Security Center, Electronic Government Center, Prosecutor’s
General Office, Intelligence and Security Service, IT experts and civil society representatives. The
workshop addressed the security level of the informational area in the Republic of Moldova in the
context of both the development of the E-service area and the insurance of personal data protection.
The representative of the Center’s Evidene and Control Department, who participated in the workshop
42
as a co-reporter, stressed out the national and international legal framework that regulates the personal
data protection area, specifically in information technologies, data transfer, Internet access and mobile
communications area, the observance of which would ensure an adequate security level of personal
data processing.
- On 10 August the Center's representatives attended an event organized by the National Bank
of Moldova. Aspects regarding personal data processing and ensuring an adequate data protection
regime in the banking area activity were discussed within the event. A presentation on the European
legal provisions and the legal framework of the Republic of Moldova on personal data protection, as
well as rules and principles of ensuring the security and confidentiality regime of personal data
processed by information systems, the personal data holders’ rights to access, oppose to not being
subject to an individual decision, intervention on data and cases of limiting the person’s rights were
presented. Within the event, which was attended by about 40 representatives of various subdivisions of
the National Bank of Moldova, specific cases were presented in which the National Authority for
Personal Data Protection had stated the fact of infringing the principles on personal data protection. At
the same time, specific aspects regarding the difficulties that occur in the implementation process of
the national legislation on personal data protection were emphasized.
- On 28 September on the occasion of the International Access to Information Day, an open-
doors day was organized. Representatives of legal entities (personal data controllers) and ordinary
citizens visited the Center and raised questions regarding the principles of personal data processing,
data holders’ rights, Center’s notification procedure regarding personal data processing operations, the
terms and consequences of failing to notify the Center accordingly, databases that are due to be
notified, the security audit of personal data information systems, the transborder transfer of personal
data.
▪ - On 4 October, following the request of the Medical Department of the Ministry of
Internal Affairs, the Center organized a seminar for the medical staff, where the “personal data
processing principles and ensuring an adequate protection regime of personal data in the medical area”
were discussed. The necessary instructions were given for carrying out personal data processing in line
with the Law on personal data protection and with the view to effectively implement the requirements
regarding the security of personal data processing by personal data information systems. About 30
employees of the Ministry’s polyclinic, of the military hospital and of the central medical-military
commission took part in the event, who demonstrated receptiveness and interest, committing to
implement in practice the principles of personal data protection.
43
- On 11 October and 8 November, at the invitation of the representatives of Taraclia
Regional Council and, respectively, Ialoveni Regional Council, the
Center’s employees carried out training seminars in the framework
of which they discussed „the principles of processing personal data
and ensuring their adequate protection regime within the local
public administration”. Around 50 and, respectively, 40
representatives of the local public administration of 1st and 2nd
level from these territory-administration units took part in the
events, as well as representatives of the decentralized services in the field and representatives of the
business community, where they analyzed and clarified practical aspects that the participants came
across in their service activity, offered the necessary instructions on the procedure of registration as
personal data controllers and the measures to be implemented by the local public administration
authorities to bring the processing of personal data in line with the law.
▪ - On 12 December, at the invitation of the General Department for Education, Youth
and Sport of Chisinau Municipal Council, the representative of the Center’s Legal and public relations
Department had a session in the framework of the meeting with the main managers of pre-university
educational institutions from Chişinău, in which they provided detailed information on personal data
protection, especially concerning the obligation to notify the Center and ensure the regime of
confidentiality and security of processing personal data.
3.3. High-level official meetings, cooperation with other national authorities The year 2012 was marked by various important events, in particular by establishing and
consolidating trust partnerships and hosting many visits, thus creating the Center’s „Friends’ Club”,
among which there are: the Embassy of Hungary in Chişinău, the EU Delegation in the Republic of
Moldova, experts and the leader of the EU funded project „Support the Government of Moldova in the
field of anti-corruption, reform of the Ministry of Internal Affairs, including the police and personal
data protection” (MIAPAC), the European Union Border Assistance Mission to Moldova and Ukraine
(EUBAM), the European Council Office (CoE) to the Republic of Moldova etc., who support and
permanently promote the notion of “private life” and “personal data” through various common
activities.
Thus:
▪ - On 10 February, the Center was visited by H.E. Dr. György VARGA, Ambassador
Extraordinary and Plenipotentiary of Hungary in Chisinau, and Mr. Ulvi AKHUNDLU, Head of the
44
European Council Office (CoE) to the Republic of Moldova. The discussions
mainly focused on aspects concerning the importance of personal data
protection, promotion of the principles of data protection and the right for
private life in Republic of Moldova, reviewing the activities carried out by the
Center in the context of fulfilling the National Program for the implementation
of the Republic of Moldova – European Union Action Plan on visa
liberalization regime, as well as the deficiencies in the process of implementing
the legal framework that regulates the area of personal data protection. During
the visit, it was mentioned that the actions for the improvement of the legal framework regarding the
field of personal data protection are consistent with the latest European and international tendencies.
On 15 March, H.E. Dirk Schuebel, Ambassador, Head of EU Delegation to the Republic
of Moldova, paid a visit to the National Authority for Personal Data Protection. During the visit the
progress and shortcomings in implementing the regulatory framework
concerning the protection of personal data were mentioned, including the
positive trends in the component "data protection" of MIAPAC project. It
should be noted that it was due to the personal contribution of the Head of
the EU Delegation to the Republic of Moldova that the Center was
included as a beneficiary of this important project.
- On 2 April, the Center had a working meeting with EUBAM experts - Mr. Andras Hugyik,
Good Governance Advisor, and Mrs. Katalin Pokorny, Integrated Border Management Advisor within
the Department of Institutional Development, who showed interest and availability for the
establishment of a bilateral cooperation in the context of the European Neighbourhood Policy,
emphasizing that the protection of personal data segment is one of common interest. Consequently,
EUBAM representatives specified that they will support projects aimed at promoting activities related
to personal data protection, raising public awareness on the rights and benefits related to protection of
privacy, promoting good practices by participating in regional and
international events, developing guidelines, in particular for theBorder
Police Department of the MIA and Customs Service of the Ministry of
Finance of the Republic of Moldova, aimed at applying correctly the
principles of personal data protection in the concerned sectors.
45
- On 27 June, the Center hosted a meeting with experts from the Federal Ministry of Interior of
Austria, during which the following topics were discussed: the role of personal data protection and the
importance of establishing a special regulatory basis to ensure an appropriate security level for
processing personal data when creating the DNA analysis laboratory in Republic of Moldova.
- On 12 October a meeting was held with representatives of the Border Police Department of
the MIA, where the issues were discussed and the necessary instructions were given regarding the
following: national institutions which would be entitled to obtain from the Border Police Department
personal data on state border crossing, the need for developing an instruction / regulation stipulating
the criteria for accepting to provide personal information to the above mentioned requesting
authorities, procedures and legal mechanisms for transborder transfer of personal data; and if the
Center’s authorization is necessary for transmitting data to countries that have signed the Convention
for the Protection of Individuals with regard to automated processing of personal data, how to inform
the personal data subject; possibility to classify information on the state border crossing by vehicles as
personal data;
- On 31 October a roundtable was organized with the participation of the management of the
Center, Ministry of Labour, Social Protection and Family, National Social Insurance House (CNAS),
Center for Electronic Governance, Social Inspection, and other decision makers of the above
mentioned authorities, in which concrete solutions were discussed and offered to the challenges
regarding the modality of providing the Center for e-Governance with data managed by the Ministry
of Labour, Social Protection and Family (considered as "open data" term); disclosure of data on
candidates for international adoption, the modality of granting access for the Social Inspection to the
data managed by the CNAS, etc.
▪
46
PERCEPTION OF THE DEVELOPMENT DEGREE OF PERSONAL DATA PROTECTION DOMAIN IN THE REPUBLIC OF MOLDOVA
Dorin RECEAN
Minister of Internal Affairs of the Republic of Moldova
“Personal data protection has become a subject of closer attention for the society and
institutions. The choice of the Republic of Moldova to engage in the necessary activities of the visa
liberalization regime with the European Union countries and the negotiation of the Association
Agreement has accelerated the processes in this regard.
The harmonization of the institutional legal framework with the highest European standards in
the view of ensuring the personal data protection is strictly necessary for the Ministry of Internal
Affairs. With the support of the EU experts, MIA has included the expressly relevant provisions in the
draft law regarding the Police activity and the status of the police officer.
In order to ensure the application of the legislation in the field, MIA has established the
Personal Data Protection Service, which is already functional. The competence of the Service includes
monitoring and control of the personal data processing through the elaboration of the security policies
and the control of their compliance. In addition, MIA and the National Center for Personal Data
Protection have signed a memorandum of cooperation in terms of training and adopting the best
practice in the field of personal data protection. MIA pays a special attention to the security of
documents and informational flows.
The Republic of Moldova will become the signing part of the Operational Agreement of
cooperation with EUROPOL, that implies ensuring the confidentiality of information and the exchange
of classified information, including personal data.
The Ministry of Internal Affairs comprehends the complex and sensitive nature of the personal
data protection and undertakes all the necessary measures in order to ensure and respect the rights
and freedoms of the person.”
47
An important action, which needs to be described in details, is the signing by the Center in
August 2012 of the Partnership and Cooperation Memorandum with the Ministry of Internal Affairs of
the Republic of Moldova. This document is intended to guarantee efficient conditions for the
realization of the potential development of the dialogue and cooperation between both authorities. In
line with the provisions of the Memorandum, MIA has created at the central level, the Service of the
personal data protection, aiming at ensuring the establishment of such a subdivision at each level of
each territorial subdivision. Among the cooperation modalities, the document stipulates as follows:
experience exchange, organization of regular meetings and joint seminars, document exchange, results
of the scientific research; draft of joint proposals (draft of the regulatory documents) that cover aspects
dealing with the personal data protection domain; joint implementation of some public information
campaigns of the attributions of the two Parties, referring to the personal data protection; assistance in
the verification of security requirements regarding the minimum measures necessary to ensure the
personal data protection; unconditioned guarantee of the personal data subjects of the rights stipulated
by the law, with the correct and non-excessive application of exceptions regarding the provision of
these rights, in cases when the efficiency of the actions would be prejudiced or the aimed objective for
the execution of MIA legal competences.
The partnership concluded between the Center and MIA constitutes a component part of the
state’s efforts to ensure the protection of the fundamental rights and freedoms of individuals in regards
of personal data processing , and in particular, the right to inviolability of intimate, family and private
life.
The Center appreciates the concrete actions that aim at complying with the provisions of the
legislation on personal data protection, it should be mentioned that in the period after the appointment
of the Head of the Data Protection Service in the framework of the Ministry of Internal Affairs, he
attended 2 training seminars organized by the Center, had 5 official meetings with the Center's
representatives, as well as participated in 4 checks performed by the Center departing to the spot to
police subdivisions.
3.4 The Activity of the Consultative Council of the Center
The Consultative Council of the Center is a body created on voluntary principles, constituted
from representatives of several public authorities and the civil society5, its tasks and attributions are
5 Chapter IV p.3 of the Law no.182-XVI from 10 July 2008 regarding the approval of the Center's Regulation states that the composition of the Consultative Council should obligatory include: the chairmen of the National Security, Defence, and Public Order Commission, and of the Human Rights Commission of the Parliament (currently the Commission for Human Rights and Ethnic Relations); representatives of the Parliament Office, Office of the President of the Republic of Moldova, Government Office; as well as from Central and Local Public Administration Authorities, from civil associations which act in the field of human rights protection with regard to the personal data processing.
48
established in a Regulation approved by the director of the Center (available on the official website of
the Center www.datepersonale.md ).
During the reporting period, the members of the Consultative Council met in December,
discussing the issue of operations of personal data processing carried out by public authorities by
means of disclosure of the personalized content of the information or working documents on official
sites, including the experience and results of implementation of Law no. 133 from 08 July 2011 on
personal data protection. In addition, the results and the main achievements of the Center were
discussed in terms of personal data protection in 2012.
As a result, the members of the Consultative Council have highly appreciated the results
obtained by Center in 2012, as well as the fact that the National Authority for Personal Data Protection
has managed to remain impartial, from the political point of view.
At the same time, it was recommended to intensify the mediatisation activity of the main
realizations, as well as of the problems faced by the Center, by outlining the necessity of development
of a more consistent dialogue with the representatives of the civil society, that need to be involved in
the process of the domain promotion, including the training of subjects of personal data in terms of
knowledge of key concepts and rules of conduct in relation to the personal data controller. In parallel,
the Consultative Council members offered to actively get involved in the process of finalizing the draft
of the national strategy of personal data protection and to contribute to the Center's activity plan for
2013.
49
CHAPTER IV INTERNATIONAL CO-OPERATION
PERCEPTION OF THE DEVELOPMENT DEGREE OF THE PERSONAL DATA PROTECTION DOMAIN IN
THE REPUBLIC OF MOLDOVA
Natalia GHERMAN Deputy Minister of Foreign Affairs and European Integration of the Republic of Moldova
“The subject of private life protection and the default protection of the personal data becomes
more and more a part of the fundamental human rights and values that appear on the agenda and
daily attention of the citizens of the Republic of Moldova, a process especially connected with the last
evolutions in the world of media, informatization and industrialization of the interaction processes of
individuals with the private sector as well as with the public one.
However, transposition into the national legislation of the European provisions on personal
data protection plays a key role in the launching of Association Agreement Republic of Moldova –
European Union negotiations and implementation of conditionalities of the European Union –
Republic of Moldova Dialogue on visa liberalization regime.
The improvement of the legal framework regulating the personal data processing in
accordance with the highest European and international standards through the adoption on 8 July
2011 of the law on personal data protection in a new version allowed on 19 November 2012 the
official transition of the Republic of Moldova into the second phase of the European Union – Republic
of Moldova Action Plan on visa liberalization regime.
In addition, ensuring a high level of personal data protection is essential for the RM progress
in the initiation and negotiation of the Cooperation Agreement with Eurojust and the Operational
Agreement with the European Police Office (EUROPOL).
The commitment and professionalism demonstrated by the National Center for Personal Data
Protection of the Republic of Moldova in the undertaken activity was confirmed also by the European
Union, the Center being considered a case of good practice within the Eastern Partnership.
In this context, I would like to thank the whole team of the National Center for Personal Data
Protection for the manifested commitment in achieving national objectives regarding the promotion of
legislation on personal data protection. "
50
▪ 4.1 Participation in international conferences, as well as in the sessions of international working groups
▪ On 15 February 2012, the European Commission published the Second Progress Report
on the implementation by the Republic of Moldovaof the Republic of Moldova - European Union
Action Plan on visa liberalization regime, which states generally very good progress in the realization
of the first phase of adjusting the legal framework in terms of visa liberalization and evaluates, in
particular, as very good the progress in strengthening the legal and institutional framework for the
protection of personal data.
▪ In this context, it may be mentioned that the implementation of Phase II conditionalities
of the Republic of Moldova-European Union dialogue on visa liberalization regime and the
internationalization of the issues related to the protection of the personal data processing led to
enhanced cooperation between the European authorities for the personal data protection, including the
progress of the Center that has been marked considerably on international level.
For instance, throughout 2012, the Center was constantly represented at international and
European conferences of Data Protection Commissioners, at plenary sessions of the Consultative
Committee (T-PD) of the Convention no. 108 and different study visits, establishing relations with
European structures aimed at the protection of personal data, such as EUROJUST and EUROPOL,
including the authorities for Personal Data Protection from Czech Republic, Kingdom of Sweden,
Romania etc., that made significant contribution to the smooth running of study visits and workshops
organized by the Center during the year.
Considering the fact that the effectiveness of the protection of personal data activity at the
national level depends on the manner how the international treaties to which the Republic of Moldova
is party are implemented, including the cooperation with personal data protection authorities at
bilateral, regional and international levels, as well as on the fact that the most important events that
facilitate the international cooperation, experience transfer, opinion exchange, including the evaluation
of the possibilities and challenges related to data protection, certainly represent high level conferences
and meetings of national protection of personal data; the Center, during 2012 was represented at the
following events:
- Spring Conference of European Data Protection Authorities, one of the most important annual
events held in the city of Luxembourg under the title "The new EU legislative framework on data
protection: expectations on compliance?”
▪ During the sessions major issues in the field were discussed, such as: modernization of
the Convention for the Protection of Individuals with regards to Automatic Processing of Personal
Data and the Additional Protocol, the new draft Regulation of the European Parliament and Council on
51
the protection of individuals with regard to the processing of personal
data and on the free movement of such data, the draft European
Parliament and Council Directive on the protection of individuals with
regard to processing of personal data by competent authorities for the
prevention, detection, investigation or prosecution of criminal
offenses or the execution of sentences and the free movement of such
data. Finally the Resolution on the European reform of protection of personal data was adopted;
▪ - the 14th Conference of the Data Protection Authorities from the Central and Eastern
Europe, which took place in Kiev, Ukraine, with the participation of the representatives from Albania,
Bulgaria, Czech Republic, Estonia, Russian Federation, Macedonia, Montenegro, Poland, Serbia,
Slovenia, Ukraine and Hungary. During the sessions important subjects were touched upon: video
surveillance of the football pitches, especially in the UEFA European Football Championship - Euro
2012, the Schengen Information System, the new framework for personal data protection in the
European Union; aspects of implementing legislation regarding the freedom of information in the
countries of Central and Eastern Europe, etc. During the sessions of the Conference, the director of the
Center reported about the challenges and progresses registered by the National Authority for Personal
Data Protection of the Republic of Moldova. At the same time, the evolution of the state of affairs in
the field of the personal data protection in all the participating countries at the mentioned event was
discussed. At the end of the Conference, the participating delegations have voted unanimously the
Declaration regarding the acceptance of the Authority for Personal Data Protection of Bosnia and
Herzegovina as the new members of the group of the Commissioners for Personal Data Protection
from the Central and Eastern Europe.
- as a result of close cooperation with Association of Francophone Personal Data Protection
Authorities (AFPDPA), the Center was invited and participated at the 6th AFPDPA Annual Meeting
held in November this year in Principality of Monaco. In the framework of the Assembly the balance
of AFPDPA activities and its members was presented; important issues faced by authorities from
francophone area related to personal data protection were discussed.
-as a permanent member, the representative of the Center participated at the sessions of the 28th
and 29th plenary meeting of the Consultative Committee of the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data (T-PD) a process that began in the
framework of the celebration of the 5th edition of Data Protection Day (28 January 2011), when the
Secretary General of the Council of Europe launched a public consultation to address the concerns of
governments, civil society and the private sector regarding the right for private life. The main reason
for convening the Consultative Committee's discussions was the necessity to finalize the discussions
52
held in the framework of the T-PD on the modernization of Convention no. 108, priority action in the
framework of the Biennial 2012-2013.
During the sessions the proposals of modification to the international treaty were reviewed,
being thoroughly discussed and debated the visions and initiatives of States-Parties with reference to
the subject, the project of modernization of the Convention no. 108 being approved, with the proposal
to subject it to the internal procedures of the Council of Europe.
At the same time, at the meeting, T-PD members had been familiarized with the trends aiming
at the globalization of application area of Convention no. 108 by opening accession to the treaty for the
states regardless of the location or affiliation to any international organizations such as the Council of
Europe, the European Union, etc., but also the establishment of the more rigorous mechanisms of the
enforcement of protection norms for personal data, including by strengthening the administrative skills
and capacities of the national authorities for personal data protection.
Another important issue examined by the Consultative Committee were the Recommendations
for ensuring the right for private life in media developed by representatives of journalists, media,
associations, NGOs, national experts, etc., and experts of Council of Europe in the project to promote
European standards in Ukrainian media, a document recommended to be taken over by the States
Parties to the Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data.
Additionally the project of modification of the Recommendation (89) 2 of the Committee of
Ministers to member states on the protection of personal data used for employment purposes,
authorized by the Bureau of the Consultative Committee of the Convention no. 108 to finalize the
modification project of this document with its further examination in the framework of the 30th plenary
meeting of T-PD. The members of T-PD were also familiarized with the information presented by the
Google representative referring to the initiative of this company in regards to the services delivered to
the customers and the reports of the representatives of the private sector and the law enforcement
authorities.
4.2 Assistance from which benefited the Center through the Technical Assistance and
Information Exchange instrument managed by the Directorate - General Enlargement of the
European Commission (TAIEX)
Since the creation of the national control Authority for personal data protection, the institution
was always supported by TAIEX through projects approved and financed by this Instrument.
It should be emphasized that TAIEX approved seven projects proposed by the Center, 5 of
which are study visits and 2 workshops on the protection of personal data in the various sectors which
will be carried out during the years 2012 -2013 as follows:
53
- 12th of March, representatives of the Center undertook a study visit to the Office of the
Information Commissioner for the United Kingdom of Great Britain and Northern Ireland (ICO) in
order to adopt the good practices regarding personal data processing in health and confidentiality of
patient data, including the implementation of Recommendation 87/15 of the Committee of Ministers
regulating the use of personal data in the police sector.
- also, supported by TAIEX, the Center organized and ran from 31 October to 2 November first
workshop in the Republic of Moldova entitled "Protection of personal data and cooperation with
EUROPOL," attended by EU experts, representatives of the Office of Personal Data Protection and
Data Protection Department of the Police Presidium of the Czech Ministry of Interior, including the
European Union Border Assistance Mission to Moldova and Ukraine and 50 representatives of the
Ministry of Internal Affairs of the Republic of Moldova and the Border Police Department. The
objective of the workshop was to provide support to the Republic of Moldova to comply perfectly with
EUROPOL vision: building a safer Europe vis-à-vis the protection of personal data and prepare the
ground for launching negotiations on operational cooperation agreement. The event focused on
intensive training of participants in theory, through the approach and description of standards
implementation process of EU legislation on the protection of personal data. After the theoretical
sessions, the simulation exercises were conducted in order to pre-evaluate the security of personal data,
visiting some of MIA structures. Similarly, there were held exercises on how to exercise the right of
access of the subject to personal data.
Consequently, the Data Protection Department of the Police Presidium of the Ministry of
Interior of the Czech Republic expressed its willingness to host a study visit of the delegation of the
Ministry of Internal Affairs of the Republic of Moldova with the aim of adopting the good practices in
the regulation of personal data in the police sector of activity.
4.3 Relations with EUROJUST
In order to familiarize with the procedures of EUROJUST6 activity and their transposition in
national plan in the sector of personal data protection, in September there was held a study visit to
EUROJUST. The event had a national impact, where the progress registered by the Republic of
Moldova was recognized on legal regulation of personal data protection field and a new platform was
launched for direct cooperation Republic of Moldova-EUROJUST in the context of preparing for
initiating negotiations on Cooperation Agreement.
As a result of the visit, the Director of the Data Protection Service at EUROJUST assured of
the fact that the findings made during discussions have clarified open issues concerning personal data
6 EUROJUST - body of the European Union established by the Council's Decision of 28.02.2002 (2002/187/JHA), to reinforcing the fight against serious crime, with legal personality, consisting of prosecutors, magistrates or police officers of equivalent competence and financed from the general budget of the European Union.
54
protection in the Republic of Moldova and provided additional
relevant and necessary insights to finalize Assessment Report that will
be presented to the External Relations Team of College of EUROJUST.
Concurrently, the members of
the delegation attended the meeting of
EUROJUST College where they had the opportunity to meet
personally with each national representative in part, including the
President of EUROJUST, which assured the support and assistance
that will be given to the Republic of Moldova in order to meet all conditions necessary for carrying out
procedures of negotiation and conclusion of Cooperation Agreement with EUROJUST.
Consequently, EUROJUST College adopted a positive decision, having informed the
European Council on 28 November 2012 of its intention to commence in February 2013 negotiations
on the Agreement on cooperation with the Republic of Moldova.
We remind that EUROJUST played a key role in the harmonization of the legislation of the
Republic of Moldova governing the protection of personal data to the European standards, intervening
not only in the process of expertise of the developed projects, but also in the process of evaluation of
the results obtained by responsible national authorities (as reflected in previous annual reports of
activity of the Center).
55
4.4. European assistance programs for acquisition and implementation of good practice at national level
THE DEVELOPMENT PERCEPTION OF THE FIELD ON PERSONAL DATA PROTECTION IN THE
REPUBLIC OF MOLDOVA
Carsten MAHNKE, Team Leader of the Project funded by European Union "Support the Government of Moldova in the field of anti-corruption, reform of the Ministry of Internal Affairs, including the police and personal data protection"
„Protection of personal data has gained global importance steadily in recent years.
In this context, it is a pleasure to see that the Republic of Moldova created together with the
National Center for Personal Data Protection of the Republic of Moldova a strong and modern
institution that is fully dedicated to the protection of personal data.
During 2012, the Center together with all Moldovan society can celebrate the entry into force
of the Law on personal data protection in new version, which largely reflects the paragraphs that
describe the standards and best European practices, offering better and more comprehensive
protection.
Important steps have been taken in training and cooperation with other state authorities.
Separately, we can mention about increasing of cooperation with law enforcement agencies under the
auspices of the Ministry of Internal Affairs, where continuity of its activities will contribute to a
modern understanding of the scope of personal data protection, based on European values. "
56
THE DEVELOPMENT PERCEPTION OF THE FIELD ON PERSONAL DATA PROTECTION IN THE
REPUBLIC OF MOLDOVA
András JÓRI, Dr. EU Expert, MIAPAC project, Former Parliamentry Commissioner for Data Protection and Freedom of Information of Hungury
„I had the opportunity to start my career as an employee of first Data Protection Commissioner of Hungary, shortly after the establishment of the Office. I will always remember these moments: we were champions of a new constitutional right, enthusiastic and committed to our goals: to protect the right to privacy of citizens from the state and corporate invasions. We had the opportunity to build a new institution that can help ordinary citizens to exercise their rights in everyday life.
A dictatorship has become a democracy, rule of law began to be respected, we were hopeful.
Such moments are rare in history, and one must consider lucky to live these days as of the past. When I started my activity in the Republic of Moldova as an expert at the National Center for Personal Data Protection, I realized that I was offered an unexpected and unique chance to relive those moments again. I met very dedicated and professional colleagues. I felt and feel the courage of the management and staff of the Center to act independently in order to build a better democratic society.
Regardless of financial constraints, the Center always accepts challenges when constitutional
rights are at risk, even if its opponents are stronger and better positioned as public authorities. The history of personal data protection Authority in the Republic of Moldova, in my opinion, is much more impressive in this regard than the data protection authorities working in EU countries. Professionalism and independence will bring results soon. The liberalization of the visa regime will bring new opportunities for Moldovan citizens; ensuring an appropriate regime for the protection of personal data will make a contribution to the country's economy by attracting investors who will appreciate the updated regulation of their activities in ICT and law protection of personal data. But more important point is that the excellent work of the Center will strengthen democracy in the Republic of Moldova. I am honored to have the opportunity to act with Mr. Paniş and his staff in these important times, and I wish them courage, persistence, and success in the future."
57
To promote the concepts of "personal data" and "privacy", the Center, starting wiyh 17th of
January 2011, became the recipient of the collaborative project between the European Union –
Republic of Moldova "Support the Government of Moldova in the field of anti-corruption, reform of
the Ministry of Internal Affairs, including police and protection of personal data" (MIAPAC).
The project aims to support national supervisory authority of personal data protection in the
process of creating mechanisms to promote personal data protection field and alignment of the
regulatory framework at European and international standards, in the context of negotiations on the
future Association Agreement European Union – Republic of Moldova and implementation
requirements in the context of the dialogue on visa liberalization regime with the European Union.
Within the project, the Center, in partnership with the Management Board of MIAPAC held
several seminars, the most extensive being:
training seminar regulating the use of personal data in the operative activity of investigation,
police and judiciary with participation of the representatives of law enforcement agencies of
the Republic of Moldova and EU trainers concerning the protection of personal data. The aim
was to give a presentation as a whole vis-à-vis the European legislation (in particular
Recommendation R (87) 15 of the Committee of Ministers (Council of Europe) to Member
States regulating the use of personal data in the police sector and Council Framework Decision
2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
framework of police and judicial cooperation in criminal matters) and the Republic of
Moldova on the protection of personal data for law enforcement employees and compliance
with public order of the Republic of Moldova;
training seminar regulating the use of personal data and location of monitoring and
surveillance devices inside educational institutions, with the participation of national experts
and the European Union on the protection of personal data. The main objective of the seminar
was to present European and Moldovan regulatory framework on the protection of personal
data and developments and current trends in this field of the employees of educational
institutions of the Republic of Moldova, conditions and principles that are to be observed in
the location of monitoring and surveillance devices inside educational institutions. The
58
seminar was attended by representatives of the Departments of Education, Youth and Sports of
the Municipal Councils of Chisinau, Cahul, Gagauzia, Riscani sect. Chisinau mun., including
high schools "Mihai Viteazul", "Prometeu", "Orizont" and school no. 2 from Vulcăneşti, as
well as the Center for Human Rights of Moldova;
training seminar for civil servants of the Ministry of Justice on "Regulating processing
of personal data and ensuring their adequate protection regime", with the participation of
national trainers and the European Union concerning the protection of personal data. At the
event attended by the representatives of the Cabinet of Minister, Notary and Lawyer
Department; Department of noncommercial organizations; Department of apostille,
Department of judicial executors, Department of governmental agent, Department of Justice of
ATU Găgăuzia, Human Resources Department, Legal Information Center, Central Probation
Office, Civil Service, were discussed in detail the rules and principles to ensure the appropriate
level of system security and confidentiality of personal data at their processing in information
systems of personal data and the need for designation of the person responsible for personal
data protection in public and private institutions;
national training workshop for 30 representatives of
National Health Insurance Company, including directors of
local agencies in Chişinău, Bălţi, Bender, Comrat and
respectively of Ialoveni, Hînceşti, Cahul, Orhei, Ungheni,
Căuşeni, Taraclia, Anenii Noi, Soroca and Edineţ rayons. The subject of training seminar
focused on "Regulating processing of personal data and ensuring their adequate protection
regime in the health insurance business", as trainers there were invited national experts from
the Center and the European Union on the protection of personal data;
training seminar of the officers of Border Police Department of the Ministry of Internal
Affairs aimed at regulating the processing of personal data and ensuring their adequate
protection regime in supervision, state border control, illegal migration and cross-border crime.
The carrying out of the seminar was requested by the
Border Police Department leadership, focused on
presentation of European and national regulations,
including EUROPOL Decision regulating issues
concerning the protection of personal data. During the
59
seminar, participants were informed about developments and trends in the protection of
personal data, which resulting from the extension of the right to privacy is subject to change
for modernization. Separately, there were discussed in detail the rules and principles of
assurance of the appropriate level concerning the system security and confidentiality of
personal data at their processing in information systems of personal data and the need for
designation of a person responsible for the protection of personal data within the Border Police
Department.
training seminar on regulating the processing of personal data and ensuring their
adequate protection regime in the legal sector. The seminar, held including in partnership with
the National Institute of Justice was attended by judges, prosecutors and administrative staff of
the National Institute of Justice and there were presented the basic concepts of the field of
personal data protection, legal and regulatory framework governing the sector given, concrete
examples of institutional cooperation. Simultaneously, there was discussed the issue of custom
publication of judgments of the courts on the web pages of judicial institutions; placing on the
website of the Prosecutor’s General Office custom format of public appeals attached to
interpellations and referrals of the Members of the Parliament of the Republic of Moldova;
storing and maintaining of personal data in civil, criminal, administrative files and ways to
ensure their security regime and confidentiality; role and importance of designation within
each institution of a person responsible for the protection of personal data and the experience
of the Republic of Moldova in personal data protection in legal sector.
another success that can be mentioned is the cooperation between the United Nations
Development Program in the Republic of Moldova and the Center. Thus, within the project
"Strengthening Institutional Capacity of the Ministry of Foreign Affairs and European
Integration", managed by the United Nations Development Program in the Republic of
Moldova and implemented with the financial support of the Romanian Government and
MIAPAC project, the Center was able to organize and conduct from 26 to 30 November 2012
the Workshop on taking best practices and assistance necessary to harmonize the national
legislation in the health sector, education sector and in law enforcement activity at Guidelines
and Recommendations of the European Union and Council of Europe on personal data
protection. As EU experts, there have participated representatives of the National Supervisory
Authority for Personal Data Processing, Head of Data Protection Office of the Ministry of
Administration and Interior of Romania and MIAPAC project experts. During the workshop,
they discussed techniques and practices to be implemented in national sectorial legislation, EU
Recommendations and Directives governing each sector, case studies and Romania's
60
experience with conducting practical exercises. The event was divided sectorial, involving
representatives from the Ministry of Education (Pillar I), Ministry of Health (pillar II),
Prosecutor's General Office, Ministry of Internal Affairs (MIA), Ministry of Defense, National
Anti-Corruption Center, the Intelligence and Security Service, State Protection and Guard
Service, Customs Service, Border Police Department of MIA, Department of Penitentiary
Institutions of the Ministry of Justice (Pillar III).
Also, with the support of the United Nations Development Program in the Republic
of Moldova there was organized a training course for officers from the Central Election
Commission, with the theme: "Regulation of personal data processing and ensuring their
adequate protection regime in the policy-making and electoral activity”. The event was
attended by representatives of the Center as experts-trainers.
61
CHAPTER V STREHGHTENING MANAGERIAL CAPACITIES OF THE CENTER
5.1 Human resources
In the period of 2012, the Center organized 4 vacant post competitions, to which 62 candidates
applied to, hiring only 4 persons and managing to replenish the number of personnel in the proportion
of 85%. Additionaly, 2 people resigned within the reference period. At the same time, employees of
the Center participated in an internal trainining course, organized by the experts of MIAPAC project,
11 external training courses, organized by the Academy of Public Administration under the President
of the Republic of Moldova, as well as the training course ‚Internal auditor course according to ISO
27001’, organized by the training Center IT ROMSYM.
5.2 Aspects regarding economic activity
In compliance with the provisions of the Article 19 of Law on personal data protection, the
Center’s budget shall be approved through Parliamentary Decision, after examination and its positive
approval by the Parliamentary Profile Commission and shall be submitted to the Government to be
further included in the Draft State Budget Law for the next year. This legislative provision, considered
to be very important for ensuring the aspect linked with the real autonomy of the authority in relation
to executive power and having entered into force on 14 April 2012, was already applied within the
Center. On 01 November 2012, the Parliament approved the Draft Budget of the Center for 2013 by its
Decision no.239.
Speaking about the aspects of financial activity for 2012, it is required to mention the fact, that
according to State Budget Law for 2012, the total sum of allocation included in the Center’s budget for
2012 constitutes 2127,0 thousand lei, out of which 1519,9 thousand lei is for the personnel costs, 647,1
thousand lei is for the utility costs, the austerity character of the approved budget imposes permanent
actions on priorities’ updating to be performed for implementation of the most important projects and
activities.
As regards the usage of the alocated financial means, the salary payment was the biggest part in
the costs structure, that in 2012 constituted 69,6 % and was increased up to the amount of - 1479,9
thousand lei, including:
- salaries payment - 1189,1 thousand lei;
- contributions of obligatory social state ensurances - 252,4 thousand lei;
- obligatory medical assistance insuarances premiums - 38,4 thousand lei.
62
The sum related to costs for goods and services purchased by the Center constituted 25,4% out
of alocated funds and represents values of 541,1 thousand lei.
Costs related to travelling with the scope of participation of the representatives of the National
authority for personal data protection in international conferences and working group meetings related
to „personal data protection”, represented 5% or 106,0 thousand lei out of total allocations for 2012.
Execution of cash accounts of the Center’s budget for 2012 constitutes - 96% in comparison
with the financial means planned at the beginning of the year with the alocated funds being used with
the view to ensure maximal efficiency in the area of personal data protection on the national level
under conditions of limited budgetary allocations.
63
CHAPTER VI PROBLEMS ENCOUNTERED IN ACTIVITY AND GOALS SET FOR 2013
6.1 Problems faced by the Center
Problems the Center delt with during 2012 for the most part bears a factual character: big
volume of work, salary grid unsufficient for the employees, staff rotation, reduced financing, absence
of international cooperation within certain state institutions and, as a result, decreased level of public
sensitivity and certain important participants, including individuals and legal entities whose activity
intersects with the activity on prosessing of personal data. Eventually, the Center continues to require a
strong support for remaining a pro-active authority on control of correspondence of personal data
protection to the provisions of law.
The biggest identified problem is unsufficient number of the Center’s staff. According to the
content of the report, during the year of 2012, the employees of the Center were involved in a big
number of activities. In some cases, unsufficient time as well as newcomers’ qualification do not
correspond to requirements related with the operativity and quality required for performing service
tasks. Namely, unsufficient number of employees is observed within the Department of evidence and
control, subdivision that is the main tool of the Center with the view of performing control of legality
of operations on personal data processing, as well as within the Legal and Public Relations Department
– subdivision involved in the review of sectoral regulatory framework as well as in the process of
presentation of Center’s interests in frames of subsequent trials.
Staff rotation is another important problem that we can not withdraw our attention from ( in this
sense it is worthwhile mentioning that it takes at least 6 months for the new employee to familiarize
with the specifics of personal data protection)
6.2 Goals for 2013
Despite of progresses registered by the Center, as well as the fact that the Law on personal data
protection, mostly, follows the principles enunciated by the Directive 95/46/EC of the European
Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on free movement of such data, it is necessary to perform more actions
ensuring more advanced level of normative regulations implementation with the view to ensure some
adequate level of personal data protection in the Republic of Moldova.
In the period of 2013 the Center plans to concentrate its special efforts, not limiting itself to
these particular objectives, on following:
- defining and promoting the idea of the National Strategy on personal data protection to be
approved by the Parliament of the Republic of Moldova in the mid-tem perspective;
64
- continuing active advertising of personal data protection area, including through organization
of seminars, training events, round tables, broadcasting public sports, through participation in
radio and TV shows with the topic of personal data protection;
- continuing to revise, approve and harmonize sectorial legislative framework in compliance
with the principles of personal data protection;
- examining and removing legislative gaps identified from the moment of entering into force of
the Law on personal data protection and Requirements of ensuring personal data security
during their processing in frames of personal data informational systems, including draft norms
for amendment;
- continuing the process of advertising and promoting the obligation to notify anf register
controllers of personal data;
- continuing the application process of the projects aimed at external support with the view of
professional development of the Center’s staff for elaboration of sectorial guidelines, as well
as harmonization of national legislation of the Directives and Recommendations of the
European Union and Council of Europe as regards to personal data protection;
- updating the Center’s official webpage with the view to ensure better interactive forum for
public and society related to National authorities for personal data protection, including
problems of non-compliance with law on personal data protection identified during the control
activity;
- introduction of the courses on topic ‚personal data protection’ into Training Curriculum and
courses, organized by the Academy of Public Administration under the President of the
Republic of Moldova, as well as by the National Institute of Justice.
65
Appendix no. 1 to Progress report of the Center for the year 2012
Statistics of operations on retrieving (accessing) and extracting
personal data archived in the State Registry of population
Appendix no. 1 to Progress report of the Center for the year 2012
Statistics of operations on retrieving (accessing) and extracting personal data archived in the State Registry of population
Entity 2009 2010 2011 11 months 2012
Data retrieval
Extracting personal
data sheet
Data retrieval
Extracting personal data sheet
Data retrieval
Extracting personal data sheet
Data retrieval
Extracting personal data sheet
General Prosecutor’s Office together with the local Prosecutors Offices
89199 14691 75520 12796 52353 11076 33006 8414
Ministry of Internal Affairs together with local subdivisions
725550 204587 671396
179211 546296 166271 439816 164893
Ministry of Defense 1032 0 2194 0 478 0 127 0 National Anticorruption Center together with local subdivisions
137632 9730 214735
15171 166348 14936 84056 6532
Customs Service 15989 2661 19081 3082 13422 2317 4985 1335 Intelligence and Security Service
82257 24951 129341
30304 74505 20006 26020 11605
Courts on all levels 1178 74 1383 55 1042 215 556 144
Court of Accounts
1900 110 2174 273 370 106 124 36
State Protection and Guard Service
11611 1884 16254 1706 12896 1028 4339 820
Municipality and district authorities
17919 0 49613 0 23362 0 4596 0
Department of Penitenciary Institutions
6847 921 4294 417 2723 346 800 204
66
Appendix no. 2 to the Progress report for the year 2012
292 294 305 293
1655166
1789516
1505910
1130243
309015275834 241973 215610
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
2000000
anul 2009 anul 2010 anul 2011 11 luni 2012
Statistics of consulting operations (access) and extraction of personal data stored in the State Register of Population
Numărul entităților publice și private care dispun de dreptul de acces la Registrul de stat al populațieiNumărul statistic al operațiunilor de consultare (accesare) a datelor cu caracter personal
Numărul statistic al operațiunilor de extragere a fișei personale
67
Appendix no. 3 to the Progress report for the year 2012
Translation of the (below) letter
MINISTRY OF HEALTH OF THE REPUBLIC OF MOLDOVA
17.12.12 no. 01-1/793 Management of medical institutions Within the current year a set of addresses/requests were sent to the Ministry of Health, including from the National Center for Personal Data Protection as regards to ensuring personal data security in frames of medical institutions, mainly related to chilren. Thus, broadcasting in mass-media with participation of children, making video and interviews in the medical institutions in some cases with the involvement of medical staff can be subject to breach of the following:
- personal data protection principles reflected in the Law no.133 as of 08.07.2011 on personal data protection;
- professional secret, envisaged by the art.13, Law no. 264 as of 27.10.2005 on medical professional
performance.
We would like to remind that in all cases, first of all, the superior principle of child interest shall be respected. Medical staff is not enetitled to provide any personal information about the children, including personal data related to their state of health, without parents or legal representative permission, whatever the reason, tendencies or intentions could be. At the same time, it is obligatory to have parents or legal representative’s expressed permission in written before staring to make any video or take interview. Vice-Minister /signiture/ Octavian GRAMA
68