Recently, in the legal framework of Moldova was proposed a project regarding the modification of Standard Contractual Clauses (“SCCs”) for cross-border transmission of personal data that is meant to give a good refresh to the current regulation and ensure a better harmonization with the GDPR.
William Douglass predicted back in the last century that we are rapidly entering the age of no privacy, where everyone is open to surveillance at all times, where there are no secrets from the government. However, regulators from all over the world make continuous efforts to limit access to personal data.
A good example for our country was provided on 10.01.2022 by the amendment of Article 32 of Law No. 133/2011 on personal data protection (“Law No. 133/2011”), that introduced the concept of Standard Contract in order to secure the data transfers to states that don’t ensure an adequate level of personal data protection.
Shortly after that, in November 2023, was proposed a Project regarding the modification of SCCs content.
Firstly, it is intended to clarify the process of assessing an appropriate level of security by considering the current state of technology, the costs of implementation, the nature, scope, context and purpose(s) of the processing, as well as the risks to which the data subjects are exposed. The parties shall, in particular, consider the use of encryption or anonymization/pseudonymization/depersonalization, including during transmission where this does not prevent the fulfillment of the processing purpose.
Secondly, the modifications proposed follow to introduce the importer’s obligation to notify the data exporter as well as the competent supervisory authorities without undue delay about a breach of the personal data security that is likely to generate a risk to the rights and freedoms of natural persons.
Also the new regulations require a certain notification content which is, in our opinion, a must-have in order to prevent practical issues.
Another substantial modification is the possibility to conclude a subsequent transfer. Directly, it will facilitate the practical processes related to data transfer while ensuring an adequate data protection all over the way.
However, the most significant novelty is the introduction of a new type of transfer: between two persons authorised by the operators. Consequently, the exporter will inform the importer about the fact that he is acting as an authorised person and about the instruction received before data processing. We see it as a necessary adaptation in the field of professional relations that require data transfers.
Even the modifications proposed are practical and refreshing, we want to formulate some objections.
Firstly, at Clause 8, subparagraphs 8.7 (Module 1), 8.8 (Module 2), and 8.8 (Module 3) concerning "Subsequent Transfers," is provided an exhaustive list of cases when the importer may disclose personal data to a third party. However, we reasonably believe that it should be completed with the following text: ”the subsequent transfer is allowed in the event when the third party provides adequate safeguards regarding the processing in question.” Such a provision will ensure full compliance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs and will provide better flexibility in the contractual relationships of the data importers without violating the rights of data subjects.
Nevertheless, it is problematic that Law No. 133/2011 does not provide an express regulation of "adequate safeguards" as assured by Articles 46 and 47 of Regulation (EU) 2016/679 on the protection of individuals concerning the processing of personal data and on the free movement of such data. This omission, consequently, unjustifiably limits the rights of the data importer.
Secondly, the provisions of Clause 15, point 15.1, subpoint 1, letter c), require the obligation of the data importer to notify the data exporter in the event of "becoming aware of any accidental or unauthorized access that has led to a breach of the security of personal data".
This provision is extremely protective for the exporter given that letters a) and b) set expressly the public authority as the entity accessing personal data which shall be notified, while letter c), in the absence of an express specification, states that the data importer is obligated to notify any accidental and unauthorized access. Moreover, only accesses that have resulted in a breach of the security of personal data are to be notified, which implies that the data importer must take additional actions to ascertain this fact.
Also, we note that there is no legal provision at European level imposing such an obligation on the data importer. Therefore, to avoid any possible disruption of the data importer activity by imposing exaggerated liabilities, we consider it appropriate to exclude letter c).
Thirdly, the exporter obligation of implementing the technical and organizational measures on the importer ability to fulfil its obligations under the SCCs are not accompanied by expressly defined measures and instructions, which creates an uncertainty in the direct application of the SCCs, point to a pressing need for greater clarity and specificity in the legal framework governing cross-border transmission of personal data.
By Natalia Siretanu, Senior Associate, and Valeria Grisciuc, Junior Associate, Gladei & Partners