What are personal data?
To whom do they apply?
How do we protect them?
Now everyone is talking about the protection of personal data, more recently about the GDPR – the new EU regulation on personal data protection.
However, what are personal data?
According to the legal definition, this is “any information relating to an identified or identifiable natural person (subject of personal data). The identifiable person is the person who can be identified, directly or indirectly, by reference to an identification number or to one or more elements specific to his/her physical, physiological, mental, economic, cultural or social identity”.
It should be noted that personal data are attributable only to natural persons, not to legal persons. Any maneuvers with such data, such as collection/storage/deletion/transmission, etc., mean the processing of personal data.
Under the legislation in force of the Republic of Moldova, anyone who processes personal data for a specified purpose is called operator and is obliged to notify the national authority – the National Centre for Personal Data Protection (CNPDCP). The notification and registration procedure as a Personal Data Operator has proved to be a rather difficult one, and the legal requirements for personal data protection are considered outdated.
Both specialists in the field from the Republic of Moldova, the operators themselves, and international experts, delegated to our country in order to ensure a high level of personal data protection and respect for the right to privacy in the Republic of Moldova, in accordance with the legal framework and European Union standards are talking about this.
As a result, the approval in the final reading of the new legislative package on personal data protection that meets both modern society requirements and EU standards is expected.
One of the most expected legislative news in the sense discussed is the repeal of the obligation to notify the CNPDCP. Even for the cross-border transmission of personal data to an EU Member State, it will no longer be necessary to notify the Centre. Likewise, with the entry into force of the new law, the requirements for the protection of personal data, which become in line with the requirements of the GDPR, are modernized. By the way, the goal of the GDPR is both material and territorial. The territorial goal requires its application to EU territory and its citizens. However, on the territory of our state, the existing legislation of the Republic of Moldova applies even to an EU citizen. That is, if we process personal data within the territory of the RM for example from a customer who is a citizen of an EU Member State, we apply the provisions of the RM legislation, but not the provisions of the GDPR.
The new legislative provisions on personal data protection promise to eliminate bureaucracy, but also rely on the good faith of personal data operators. In this respect, liability is excluded for the lack of notification of CNPDCP, but punishment is toughened for violating personal data protection rules, so that the maximum amount of punishment will constitute 5% of turnover and this may involve exorbitant figures.