On 11 November 2021, the Moldovan Parliament passed a series of legal amendments ("Law 175/2021"), including to the existing Law on Personal Data Protection. Law 175/2021 entered into force on 10 January 2022 and partially transposes the European Union's General Data Protection Regulation ("GDPR").
No more registration with the supervising authority
The most important change is that personal data controllers will no longer be obliged to submit prior notification (which in essence was a registration application) to the National Centre for the Protection of Personal Data (the "Centre"). This will help controllers overcome the Centre's formalistic approach when checking applications. Now controllers are on their own, free to implement the measures as they deem adequate and sufficient to ensure compliance with Law 175/2021. As of the date of entrance into force of Law 175/2021, the Register of controllers, previously kept by the Centre, will cease to exist.
Obligation to carry out an impact assessment
Law 175/2021 imposes a mandatory impact assessment in case the type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Where such a data protection impact assessment indicates that the personal data processing would lead to a high risk (and the controller believes the risk cannot be mitigated by reasonable means), the controller will be obliged to consult the Centre prior to initiating the respective personal data processing activity.
Data protection officer
Another novelty is the designation of a data protection officer. The cases where the controller is obliged to designate a data protection officer are similar to those listed in the GDPR (i.e. processing conducted by a public authority or institution, activities consisting in processing operations requiring regular and systematic monitoring of data subjects on a large scale, and activities consisting in the processing of special categories of personal data).
Cross-border personal data transfers
Under the new rules, the cross-border transfer of personal data is generally permitted, based on the principle of the free flow of personal data, to the Member States of the European Economic Area and to states that ensure an adequate level of personal data protection. The Centre is obliged to adopt and publish in the Official Gazette of Moldova the list of states ensuring an adequate level of personal data protection.
While admitting that the implementation of the new rules may require certain resources from the entities concerned to ensure they comply with the new rules, local personal data controllers may benefit from the experience of the European Union in implementing the transposed GDPR rules. Moreover, the amendments are a great opportunity for local subsidiaries to adapt their privacy policies to those of their parent companies.
By Andrian Guzun, Attorney at Law, and Viorica Cornescu, Associate, Schoenherr