of July 25, 2024 No. 195
About personal data protection
The parliament adopts this organic law.
This law shifts Regulations (EU) 2016/679 European parliament and Council of April 27, 2016 about protection of physical persons in case of personal data processing and about free circulation of such data, and also about canceling of the Directive 95/46/EU (General regulations about personal data protection), published in the Official log of the European Union by L 119/1 of May 4, 2016, CELEX: 32016R0679.
(1) This law establishes the legal base concerning:
a) protection of physical persons in connection with personal data processing;
b) the organizations and functioning of the National center for personal data protection (further also – the Center);
c) supervision of application of the legislation in the field of personal data protection;
d) legal responsibility and punishments applied for violation of the law in the field of personal data protection.
(2) the Purpose of this law is ensuring protection of basic rights and freedoms of physical persons, in particular the rights to intimate, family and private life in connection with personal data processing.
(1) This law is applied to the personal data processing performed fully or partially by the automated means as well as to personal data processing by other means, except automated, constituting part of system of accounting of data or intended for inclusion in system of accounting of data.
(2) This law is not applied to personal data processing:
a) carried to the state secret which is performed according to the Law on the state secret No. 245/2008, in that measure in which it is necessary for protection of homeland security and defense and in proportion to this protection;
b) physical person only for personal or domestic needs;
c) carried out by competent authorities for the purpose of warning, investigation, identification or criminal prosecution of crimes, as well as for the purpose of execution of criminal penalties, including protection against threats for public safety and their warning;
d) the concerning died persons, except for case, stipulated in Article 52.
(3) This law does not affect situation of the Law on services of information society No. 284/2004, in particular the regulations concerning responsibility of service providers and intermediaries who are provided by articles 14-17 of the specified law.
(1) This law is applied to personal data processing within the activities performed in the location of the operator or person acting at the request of the operator in the territory of the Republic of Moldova irrespective of whether processing in the territory of the Republic of Moldova or beyond its limits is performed.
(2) This law is applied to personal data processing of the subjects of personal data taking the location in the territory of the Republic of Moldova by the operator or person which is acting at the request of the operator, not taking the locations in the Republic of Moldova in case activities for processing are connected:
a) with provision of goods or services to such subjects of personal data in the Republic of Moldova, irrespective of whether payment from appropriate subject is requested; or
b) with monitoring of their behavior if that is shown in the Republic of Moldova.
(3) This law is applied to personal data processing by diplomatic representations and consular establishments of the Republic of Moldova, and also other operators who are not taking the locations in the Republic of Moldova if the legislation of the Republic of Moldova is applied based on the international public law.
For the purpose of this law the following concepts are used:
personal data – any information relating to the identified or identifiable physical person (further – the subject of personal data). Identifiable physical person is the person which can be identified directly or indirectly, in particular, by means of the reference to the determining element, such as name, identification number, data on the location, the on-line identifier, or on one or several specific elements inherent its physical, physiological, genetic, mental, economic, cultural or social identity;
processing – any action (transaction) or set of actions (transactions) made with use of the automated means or without use of such means with personal data or set of personal data including collection, registration, systematization, structuring, storage, refining or change, extraction, acquaintance, use, disclosure by transfer, distribution or provision of access by any different way, streamlining or combination, restriction, removal or destruction;
processing restriction – marking of the stored personal data for the purpose of restriction of their further processing;
profiling – any form of automated personal data processing which consists in use of personal data for assessment of the certain personal aspects concerning physical person, in particular for the analysis or forecasting of the aspects connected with labor productivity, economic situation, the state of health, personal preferences, interests, reliability, behavior, the location of this physical person or with its movements;
pseudonymization – personal data processing as a result of which there is impossible without use of the additional information reference of personal data to the specific subject of personal data on condition of separate storage of such additional information and application to it technical and organizational measures which provide prevention of reference of these personal data to the identified or identifiable physical person;
system of accounting of data – any structured set of the personal data available according to specific criteria, irrespective of whether such data are centralized, decentralized or distributed by functional or geographical criteria;
operator – physical person or legal entity, body of the public power, the agency or other body which independently or together with others determine the purposes and means of personal data processing. If the purposes and means of processing are established by regulations, the operator or specific criteria of its assignment are determined by the corresponding regulations;
person acting at the request of the operator – physical person or legal entity, body of the public power, the agency or other body which on behalf of the operator process personal data;
the location – the place of the actual and valid implementation of activities within stable arrangements;
the receiver – physical person or legal entity, body of the public power, the agency or other body which personal data reveal irrespective of whether they are the third party. Bodies of the public power to which personal data can be reported during separate investigation according to regulations are not considered as receivers; processing of such data by relevant organs of the public power is performed with observance of applicable rules of personal data protection according to the processing purposes;
the third party – physical person or legal entity, body of the public power, the agency or other body, except the subject of personal data, the operator, person acting at the request of the operator and persons which under the direct operator guide or person acting at the request of the operator are authorized to perform personal data processing;
consent – any free, specific, informed and unambiguous declaration of will by means of which the subject of personal data the unambiguous statement or action expresses consent to processing of the personal data concerning it;
violation of safety of personal data – security violation, accidental or unduly led to destruction, loss, change or unauthorized disclosure transferred, stored or different way of the processed personal data, as well as to illegal access to these data;
genetic data – the personal data relating to the inherited or acquired genetic characteristics of physical person which provide unique information on physiological features or the state of health of this physical person, and received, in particular, in analysis result of sample of the biological material taken from the relevant physical person;
biometric data – the personal data obtained as a result of special processing procedures, relating to the physical, physiological or behavioural features of physical person giving the chance to establish or confirm its unique identification, for example, the image of person or dactyloscopic data;
health state-of-health data – the personal data connected with condition of physical or mental health of physical person including with rendering services of medical care which open data on state of his health;
national identification number – number by means of which the physical person in certain systems of accounting is identified and which has common application, for example, the state identification number, series and number of the identity certificate, passport number, the car driver license;
the representative – the physical person or legal entity with the location in the Republic of Moldova designated in writing by the operator or person acting at the request of the operator according to Article 27, which represents the operator or person acting at the request of the operator, in connection with fulfillment of duties, assigned to it according to this law;
the company – the physical person or legal entity performing economic activity irrespective of its form of business, including in the form of the partnership or associations which are regularly performing economic activity;
group of companies – the company exercising control, and the companies controlled by it;
obligatory corporate rules – policy in the field of personal data protection which shall be observed by the operator or person acting at the request of the operator, taking the location in the territory of the Republic of Moldova by transfer of personal data or set of personal data to the operator or person acting at the request of the operator in one or several states in the territory of which they perform activities as a part of group of companies or as a part of the companies performing joint economic activity;
total turnover – the turnover used in the value determined by Article 4 of the Competition act No. 183/2012;
services of information society – the services used in the value determined by article 4 of the Law on services of information society No. 284/2004;
direct marketing – transfer by phone, mail or other means of direct link of the advertizing or marketing messages (on promotion of goods or services) sent to individuals;
the international organization – the organization and its subordinated bodies regulated by the international public law or other body created by the agreement signed between two or more states or on the basis of such agreement.
(1) Personal data shall:
a) be processed on legal, fair and transparent basis concerning the subject of personal data (the principle of legality, justice and transparency);
b) be exposed to collection in particular, clear and legal purposes and further shall not be processed according to the procedure, incompatible with the specified purposes. The subsequent processing performed for the purpose of archiving in public concerns for the purpose of carrying out scientific or historical research or in the statistical purposes, incompatible with the initial purposes according to part (1) Article 54 (the principle of the restriction connected with the purpose) is not recognized;
c) differ in adequacy, relevance and to be limited to the purposes for which they are processed (the principle of minimization of data);
d) differ in accuracy, and in necessary cases shall be updated. Proceeding from the processing purposes, all necessary measures for ensuring immediate removal or correction of inexact personal data (the principle of accuracy) shall be taken;
e) be stored in the form allowing to identify subjects of personal data during the term which is not exceeding the term necessary for goal achievement of personal data processing. Personal data can be stored during longer terms in that measure in what they shall be processed only for the purpose of archiving in public concerns, for the purpose of carrying out scientific or historical research or in the statistical purposes, according to part (1) Article 54 on condition of application of the adequate measures of technical and organizational procedure provided by this law for providing the rights and freedoms of the subject of personal data (the principle of the restriction connected with storage);
f) be processed according to the procedure, ensuring proper safety of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by acceptance of the adequate technical or organizational measures (the principle of integrity and confidentiality).
(2) the Operator bears responsibility for observance of part (1) and shall be ready to prove its observance (the principle of responsibility).
(1) Processing is legal only in that case and in that amount in which at least one of the following conditions is observed:
a) the subject of personal data agreed to processing of the personal data for the purpose of achievement of one or several specific purposes;
b) processing is necessary for agreement performance which party is the subject of personal data, or for acceptance of certain measures for request of the subject of personal data before the conclusion of the agreement;
c) processing is necessary for accomplishment of the obligation of the operator provided by the law;
d) processing is necessary for protection of the vital interests of the subject of personal data or other physical person;
e) processing is necessary for accomplishment of the task set in public concerns or when implementing the official powers assigned to the operator;
f) processing is necessary for ensuring the legitimate interests pursued by the operator or the third party, except for case when interests or basic rights and freedoms of the subject of personal data prevail that requires protection of its personal data as, for example, in case subject of personal data is the child.
(2) Personal data can be processed according to Item e) parts (1) if processing is necessary:
a) for accomplishment in public concerns of task which follows from regulations;
b) for implementation by the operator of the functions or obligations provided by regulations.
(3) the Bases for the processing specified in Items c) and e) parts (1) and parts (2), shall be provided by the legislation of the Republic of Moldova.
(4) Item f) parts (1) it is not applied in case of the processing performed by bodies of the public power in case of execution of the obligations.
(5) If processing with the purpose other than the purpose for which achievement collection of personal data was performed is not based on the consent of the subject of personal data or on regulations which represent necessary and proportional measure in democratic society for protection of the purposes specified in part (Articles 23, the operator for determination of compatibility of the purpose of the performed processing on purpose for which personal data were initially collected takes 1) into account, in addition:
a) any communication between the purposes for which collection of personal data, and the purposes of the planned further processing was performed;
b) context in which collection of personal data, in particular, in respect of the relations between subjects of personal data and the operator was performed;
c) nature of personal data, in particular, if special categories of personal data according to Article 9, are processed or if the personal data concerning criminal sentences and crimes according to Article 10 are processed;
d) possible effects of the planned further processing for subjects of personal data;
e) availability of proper guarantees which can include enciphering or pseudonymization.
(1) If processing is based on consent, the operator shall have opportunity to prove that the subject of personal data agreed to processing.
(2) If the subject of personal data agrees in the written application which also concerns other aspects, the application for consent shall be submitted in shape, accurately different from other aspects, in convenient for perception and available type and it is stated by simple and clear language. Any of parts of such statement constituted with violation of this law is not subject to obligatory execution.
(3) the Subject of personal data has the right at any time to withdraw the consent. The withdrawal of consent does not influence legality of the processing performed based on this consent to its response. The subject of personal data is informed on it before consent registration. The withdrawal of consent is performed also simply, as well as its issue.
(4) In case of assessment whether the consent of the subject of personal data free expression of its will was, special attention shall be paid, in addition, to the fact that agreement performance, including provision of separate service, is caused by consent to processing which is not necessary for execution of this agreement.
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.