22.02.2018
GAP analyses
for the Law on Personal data protection of Republic of Moldova (the Law)from perspective of its compliance with General Data Protection Regulation (GDPR)
Full title of Regulation:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Present situation (“what is”) / Future in compliance with GDPR (“what should be”)The scope of exception for applying the Law is wider than in GDPR - it provides that the Law does not apply for natural persons and legal entities (in the Law defined as “controllers”) who processing of personal data for personal and family needs. But restricts it with rule that in these exceptional cases the rights of personal data subjects should not be violated (2.a). / The purpose of GDPR is that it does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, GDPR applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Action: to provide rules that the Law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity without any restrictions.
(Article 2(2.c) of GDPR)
The Law states that it does not apply to specific crimes - genocide, crimes against humanity and war crimes -, but the Law shall apply on other crimes (criminal or administrative) (2.c; 2.2.d). / Action: to provide rules that the Law does not apply to all kind of crimes - the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data. (Personal data processed by public authorities under GDRP, when used for those purposes, is governed by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA.).
(Article 2(2.d) of GDPR)
The Law does not provide that the processing of personal data of data subjects who are in the Republic of Moldova by a controller or a processor not established in the Republic of Moldova should also be subject to the Law where the processing activities are:
1) related to offering goods or services to such data subjects irrespective of whether connected to a payment;
2) when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Republic of Moldova (2.2.c). / In order to ensure that natural persons are not deprived of the protection to which they are entitled under the Law, the processing of personal data of data subjects who are in the Republic of Moldova by a controller or a processor not established in the Republic of Moldova should be subject to the Law where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.
The processing of personal data of data subjects who are in the Republic of Moldova by a controller or processor not established in the Republic of Moldova should also be subject to the Law when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Republic of Moldova.
Action: in the Law should be stated that the processing of personal data of data subjects who are in the Republic of Moldova by a controller or a processor not established in the Republic of Moldova should also be subject to the Law where the processing activities are:
1) related to offering goods or services to such data subjects irrespective of whether connected to a payment;
2) when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Republic of Moldova.
(Article 3(2) of GDPR)
The Law does not provide that identifiable natural person can be identified by a name; location data; an online identifier; factor specific to genetic of natural person (3). / Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, either by the controller or by another person to identify the natural person directly or indirectly.
Action: in the Law should be stated all possible criteria by which natural persona can be identified – it is necessary to supplement the definition of personal data with additional criteria by which identifiable natural persona can be identified such as a name; location data; an online identifier; factor specific to genetic of natural person.
(Article 4(1) of GDPR)
The Law does not state that special categories of personal data includes date revealing trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning natural person’s sexual orientation. (3) / Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms – inter aliadate revealing trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning natural person’s sexual orientation– merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
Action:since the definition of special categories of personal datadoes not includeall special categories of personal data, it is necessary to include in the definition of special categories of personal data date revealing trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning natural person’s sexual orientation.
(Article 9(1) of GDPR)
Law does not contain a definition of restriction of processing (3). / Action: since the definition of processing of personal data does not include such activity as „restriction”, it would be advisable to consider necessity to include in the Law the definition of restriction of processing.
(Article 4(3) of GDPR)
Law does not contain a definition of profiling (3). / Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols (internet protocol addresses, cookie identifiers) or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Action: it is necessary to define in the Law a definition of profiling (which means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements).
(Article 4(4) of GDPR)
The Law does not provide applicable rules for processing of personal data in the framework of a particular inquiry in accordance with law of the Republic of Moldova by public authorities which may receive those data (3). / Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with law of the Republic of Moldova. The requestsfor disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.
Action: it would be advisable to state in Law that the processing of personal data in the framework of a particular inquiry in accordance with law of the Republic of Moldova by public authorities which may receive those data shall be in compliance with the applicable data protection rules according to the purposes of the processing.
(Article 4(9) of GDPR)
The Law limits the range of public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission (3). / The Law should cover all possible public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission.
Action:in addition to the public authorities listed in the Law, there should be listed public authorities such as tax and customs authorities, financial investigation units, independent administrative authorities or financial market authorities responsible for the regulation and supervision of securities markets.
(Article 4(9) of GDPR)
The Law does not contain a definition of personal data breach. (3) / Action: since the personal data breach can cause serious consequences it is necessary to include in the Law the definition of personal data breach .
(Article 4(12) of GDPR)
The Law does not contain a definition of genetic data (3). / Action: since genetic data are one of sensitive personal data it would be necessary include in the Law the definition of genetic data.
Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
(Article 4(13) of GDPR)
The Law does not contain a definition of biometric data (3). / Action: since biometric data are one of sensitive personal data it would be necessary include in the Law the definition of biometric data defining it as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
(Article 4(14) of GDPR)
The Law does not contain a definition of data concerning health (3). / Action: since data concerning health are one of sensitive personal data it would be necessary include in the Law the definition of data concerning health.
Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject: information about the natural person collected in the course of the registration for, or the provision of, health care services to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
(Article 4(15) of GDPR)
The Law does not contain a definition of main establishment (3). / Action: it is necessary to define (enumerate)specific criteria by which to determine main establishment. The main establishment of a controller in the Republic of Moldova should be the place of its central administration in the Republic of Moldova. The main establishment of a controller in the Republic of Moldova should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements.
The main establishment of the processor should be the place of its central administration in the Republic of Moldova or, if it has no central administration in the Republic of Moldova, the place where the main processing activities take place in the Republic of Moldova.
(Article 4(16) of GDPR)
The Law does not contain a definition of representative. (3) / Action: to provide a definition of representative as it is in Article 4(17) of GDPR.
The Law does not contain a definition of binding corporate rules (3). / Since it is very common that enterprises have branches, controlled undertakings, territorial subdivisions, it is necessary that they all have one common personal data protection policies (guidelines) which are adhered to by a controller or processor established on the territory of the Republic of Moldova for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Action:in the Law should be a definition of binding corporate rules.
(Article 4(20) of GDPR)
The Law does not contain a definition of cross-border processing (3). / Action: in now days when globalisation takes place, it is necessary to describe what is cross-border processing.
(Article 4(23) of GDPR)
The Law does not contain a definition of relevant and reasoned objection, but partiallyit derives from paragraph 1 of Article 16 of the Law.(3) / Action: consider necessity to define relevant and reasoned objection. Because it is important to state that relevant and reasoned objections are those which clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Republic of Moldova.
(Article 4(24) of GDPR)
The Law does not include the principle of transparency (4.1.a) / The principles of data protection should apply to any information concerning an identified or identifiable natural person and it is important that personal data are processed in a transparent manner in relation to the data subject.The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
Action:in the Law should be stated that personal data shall be processed in a transparent manner in relation to the data subject.
(Article 5(1.a) of GDPR)
The Law does not listing all possible legitimate basis which shall apply to process personal data (-) / In order for processing to be lawful, personal data should be processed on the basis of legitimate basis, laid down by law, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Action:to provide rules that processing of personal data should be lawful and for that at least one of the following legitimate basis shall applyand then following list with all possible legitimate basis.
(Article 6(1) of GDPR)
The Law does not provide rule that the consent of personal data subject should be given for specific purposes (5.1) / Where processing is based on the data subject's consent a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
Action:to provide rules that the data subject is giving consent to the processing of his or her personal data for specific purposes.
(Article 6(1.a) of GDPR)
The Law does not highlight specific data subject – child (5.5.e) / Action: since children are less protected as adults, would be advisable to consider necessity to highlight the data subject – child whose interests should be primary over other data subject interests.
(Article 6(1.f) of GDPR)
The Law does not states conditions which should be fulfilled by controller if he wants to process persona data for a purpose other than for which the personal data have been collected and it is not based on the data subject’s consent (5.5.f). / The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.
Action:would be advisable to consider necessity to provide conditions which should be fulfilled by controller if he wants to process persona data for a purpose other than for which the personal data have been collected and it is not based on the data subject’s consent.