16
Tue, Jul
71 New Articles

Moldovan Data Protection Law Follows Footsteps of GDPR

Moldovan Data Protection Law Follows Footsteps of GDPR

Issue 10.4
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

One of the most important recent buzzwords in Moldova, at the intersection of legal services and IT, is GDPR compliance and its associated complications (and opportunities) – to strictly follow both the GDPR (where applicable extraterritorially in Moldova) and the Moldovan legal framework, which is partially aligned with the EU law.

Two recent legal amendments to the Moldovan Data Protection Law 133/2011 – one enacted on January 10, 2022, and the other just voted in the second reading before the Moldovan Parliament two weeks ago – are finally solving several fundamental discrepancies between the Moldovan and EU laws. 

Firstly, a detailed legal regime has been introduced in the Moldovan law for the cross-border transmission of personal data, allowing a free movement of data between Moldova, the EEA states, and the countries ensuring an adequate level of personal data protection, as approved by the Moldovan regulator. This list currently includes countries like Argentina, Canada, Israel, Switzerland, or the UK.

Secondly, the problem of transferring personal data outside of EEA and the approved countries has been solved by approving the Moldovan version of the standard contractual clauses (SCC) covering three data-transfer scenarios: controller-to-controller; controller-to-processor; and processor-to-controller. 

Accordingly, if a controller/processor processes personal data originated in or transferred to the Republic of Moldova – and the processing operations are carried out in a country that is neither a party to EEA, nor on the Moldovan regulator approved list – it must sign the Moldovan SCC with the Moldovan counter-party. It must also proactively ensure that its own onward transfers to sub-processors provide adequate safeguards – even though the primary responsibility is on the controller and exporter of personal data to make assessments before allowing any personal data to be transferred outside of the EEA or the pre-approved list of countries.

Further, a significant legal amendment passed recently, which introduces the concept of “sub-processor” to Moldovan legislation, regulating that a processor shall not engage another processor without prior specific or general written authorization of the controller; in the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby allowing the controller to object to such changes. Before this legal amendment, any third party involved in data processing operations on behalf of the controller, under Moldovan law, was required to sign direct data processing agreements with the controller, basically prohibiting processing subcontracts from being signed by the processors. 

The same legal amendment elaborates that when a processor engages another processor for carrying out processing operations on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the (first) processor shall be further imposed on the other (sub)processor by way of a contract or other legal act – particularly providing sufficient guarantees to implement appropriate technical and organizational measures meeting the requirements of Moldovan law. Where that other processor fails to fulfill its obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations. 

As a formal pre-approval step, to engage a sub-processor, the processor needs to have the controller’s written permission. The permission and terms of engagement of a sub-processor might be covered by the agreement between the controller and processor or documented at a later stage in a separate writ. If the controller has approved the engagement of a sub-processor, the processor shall sign a contract or other legal act requiring the sub-processor to meet the legal requirements under Moldovan law.

Naturally, the alignment of the Moldovan data protection law with the GDPR – with its complex case law and practical solutions – seems to be a good long-term solution for the Moldovan data protection legal framework. It remains to be seen whether the Moldovan practice will follow the same approach as in the EU. 

By Iulian Pasatii, Partner, and Constantin Cretu, Junior Associate, Gladei & Partners 

This article was originally published in Issue 10.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here

Moldovan Knowledge Partner

ACI Partners is a leading law firm in Moldova with an expanding network of partners throughout Europe. ACI Partners was established in 2006 and since then has managed to build a very strong and competitive legal practice. Our business strategy strives to deliver a solid and reliable service, going beyond merely grasping the law, which the clients may turn to whenever they need. In reaching this goal, ACI Partners employs a personalized approach to each client, showing a genuine respect for their values and unqualified commitment to their interests and needs, steadily investing in knowledge and data management and ensuring a working environment consistent with our clients’ quality demands and high expectations.

ACI Partners is a one-stop shop law firm proficient in all possible legal matters a business might come across in Moldova, starting with incorporation of a business, and obtaining of all the necessary regulatory permits, continuing with various daily matters, such as contracts, labor, and migration, and finishing with dispute settlement, insolvencies, and criminal investigations. But we pride ourselves especially for our unmatched expertise in most innovative and complex areas for Moldova, as Modern Financial Products, Data Protection, Renewable Energy, Competition, Clinical Studies, Public Procurement, and Regulatory. In our work, we always involve a team of professionals with the relevant skill-mix, which enables us to provide our clients with an integrated and comprehensive advice, superior to our competitors.

ACI Partners has advised the Government of the Republic of Moldova, businesses, international organizations, and other institutions on most challenging transactions, assignments and projects.

ACI Partners is not just another law firm. Over the course of our existence and working in Moldova, and on the international stage for our non-Moldovan clients, we have developed a strong set of core values which, we believe, guide us in everything that we do and, moreover, gives us a competitive advantage – differentiating us from other firms on the market.

Firm's website.

Our Latest Issue