Recently, a series of substantial developments in the data protection area and several eloquent guidelines have been operated and published by the Moldovan Personal Data Protection Authority (PDPA). Below is an overview of the most important matters to be considered both by data controllers and data processors operating on the territory of the Republic of Moldova.
On 10 January 2022, a new law amending the Personal Data Protection Law No. 133/2011 (PDP Law) has been enacted, aligning the PDP Law to the provisions of the European Union's General Data Protection Regulation (GDPR).
Particularly, a new legal regime has been introduced for the cross-border transmission of personal data, allowing a free movement of data between Moldova, the EEA states and the countries ensuring an adequate level of personal data protection, as per the list of countries approved by PDPA. This list currently comprises Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the State of Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, Uruguay, and the United Kingdom of Great Britain and Northern Ireland.
A pivotal case comes out when personal data is transmitted to a country outside of the list of EEA states or the list of countries approved by PDPA as complying with the adequacy criteria. In this case, data controllers shall have a legal basis for such transfers, either by having as a ground a legal exception (inter alia if such processing is carried out according to a treaty Moldova and the destination country are parties of; based on data subject’s consent for such a transfer) or if the transfer is based on standard contractual clauses (SCC) concluded between the Moldovan controller/processor and the controller/processor located in a country not party to the EEA or not listed by PDPA as complying with the adequacy criteria.
On 22 April 2022, PDPA has approved the template of SCC – as a further innovation for the Moldovan data protection legal framework. The SCC were developed to implement Article 32 of PDP Law, with provisions establishing appropriate guarantees for all parties involved (both for its signatories and the data subjects affected), including opposable rights of data subjects and effective remedies concerning cross-border transmissions of data from controllers to controllers, from controllers to processors, and from processors to controllers.
The substantive difference between the EU and Moldovan SCC is that the latter cover only three transfer scenarios, namely controller-to-controller, controller-to-processor, and processor-to-controller, without processor-to-processor scenario covered. Therefore, it falls on the parties’ responsibility in this last scenario – 2 processors – to safeguard adequately their and data subjects’ rights by concluding the pre-approved SCC amended mutatis mutandis.
The Moldovan SCC are structured in 4 sections and 17 modular clauses characterized by flexibility, as the parties can tailor clauses to their particular data processing activities. The most important SCC provide:
• guarantees for the protection of personal data transmitted abroad;
• obligations of the processors relating to the fulfillment of the contract;
• rights of data subjects;
• liability of the parties for damage caused to the data subjects following non-compliant data processing;
• remedies available to data subjects in case of violation of data processing and storage provisions;
• obligations of the data importer in case of access of public authorities and the obligation of the data importer;
• the exclusive competence of Moldovan courts concerning all disputes arising from the SCC;
• a “docking clause” allowing additional parties to join the contract in the future.
Section 4 of the SCC states that the data exporter is entitled to suspend any data transfers when the contractual clauses have been infringed by the importer and in case there are no remedies, the contract may be terminated by the exporter after one month.
Further, two important annexes have the purpose to corroborate the principles of transparency and accountability to the SCC.
The first annex is divided into two sections: (1) first relates to specific information on the transfers that must be carried out (including names, addresses, and activities associated with the data transfer), and (2) the second covers description of the transfer, which shall categorize the transferred data, frequency, data retention period, purpose, and nature of processing.
The second annex includes technical and organizational measures that shall guarantee the security of personal data processed – these shall be implemented by the importer in order to ensure an adequate level of data protection.
As a novelty in the Moldovan data protection legal framework, it now falls within the responsibility of PDPA to ensure an uniform and predictable practice of SCC implementation, as well as to ensure the Moldovan practice is inspired from the international (in general) and European (in particular) best practices in this field.
By Iulian Pașatii, Partner, Constantin Crețu, Junior Associate, Gladei & Partners