On 8 July 2011 the Parliament of the Republic of Moldova passed Act No. 133/2011 on personal data protection in Moldova (Act No. 133). Act No. 133 will enter into force from 15 April 2012 and implements new norms on the protection of individuals with regard to the processing of personal data, registration procedures (notification) for processors of personal data, and rules on the cross-border transfer of personal data.

Legislative background

On 15 April 2012, Act No. 133 will entirely replace the current Act No. 17/2007 on personal data protection. The new legislation is intended to align the country with EU norms, in particular Directive 95/46/EC of the European Parliament and Council of 24 October 1995 "on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (Directive 95/46/EC).

Act No. 133 follows a strong legislative initiative by the National Center for Personal Data Protection of Moldova (NCPDP) to convince the legislator to vote to restructure the existing system. The reform has been underway for some time. For example, under Government Decision No. 1123/2010, current processors of personal data must implement by 25 December 2011 the published requirements on ensuring the protection of personal data upon its processing in personal data information systems.

Further, all local processors of personal data performing processing when Act No. 133 enters into force must notify the NCPDP of such operations within 30 days.

Act No. 133 defines the processing of personal data as any operation or set of operations upon the personal data of individuals.

Notification procedure

Different from the old legislation, Act No. 133 requires all processors of personal data to notify the NCPDP of an intended processing operation before it is performed. Moreover, a supplementary processing operation may not be performed until a new notification is submitted.

After giving notification, processing operators will receive a registration number that must be reflected on all acts by which personal data is collected, stored or, transferred.

Processors carrying out certain operations – such as the processing of personal data by electronic means within systems that generate individual decisions about the solvency or professional competence of individuals – will have to pass supplementary preliminary checks by the NCPDP on whether the operations comply with the new legislation. These preliminary checks may not exceed 45 days from submission (in complex cases, plus an additional 45 days). Processing personal data without the NCPDP's authorisation is prohibited.

The NCPDP will keep a register of all personal data processors in Moldova.

Personal data subject's consent

Compared to Directive 95/46/EC, Act No.133 provides for a slightly different definition of the personal data subject's consent. So, except for the cases listed by law as not requiring consent, consent must be freely given, express, unconditional, and in written or electronic form. This requirement of written or electronic consent may raise practical difficulties for the processors, so a corresponding practical approach will be required from processors in order not to cause breaches of law.

Consent is not necessary if the processing of personal data is required: (i) for the execution of an agreement to which the personal data subject is a party; (ii) to take certain measures before entering into such agreement, at the subject's request; (iii) to protect the life or health or the personal data subject; or (iv) to fulfil a legal obligation of a processor.

Under Act No. 133 all processors must ensure free access by personal data subjects to their personal data.

Trans-border transfer of personal data

Similar to the current legislation, the trans-border transfer of personal data must be authorised by the NCPDP, who will give authorisation only if the destination country ensures adequate protection of the data. This will be decided on a case-by-case basis.

In those cases listed by law, however, the NCPDP may authorise the cross-border transfer of personal data even if the destination country does not ensure an appropriate level of protection, but subject to the condition that the processor present sufficient guarantees to ensure protection (eg, an agreement signed between the processor and persons processing the personal data abroad).

The new legislation brings new rules to an important domain. Let's hope the Moldovan authorities implement them well in practice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.