20
Sat, Apr
44 New Articles

Moldovan Novelty in the Legal Framework for International Data Transfers

Moldovan Novelty in the Legal Framework for International Data Transfers

Moldova
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Recently, a series of substantial developments in the data protection area and several eloquent guidelines have been operated and published by the Moldovan Personal Data Protection Authority (PDPA). Below is an overview of the most important matters to be considered both by data controllers and data processors operating on the territory of the Republic of Moldova.

On 10 January 2022, a new law amending the Personal Data Protection Law No. 133/2011 (PDP Law) has been enacted, aligning the PDP Law to the provisions of the European Union's General Data Protection Regulation (GDPR).

Particularly, a new legal regime has been introduced for the cross-border transmission of personal data, allowing a free movement of data between Moldova, the EEA states and the countries ensuring an adequate level of personal data protection, as per the list of countries approved by PDPA. This list currently comprises Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the State of Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, Uruguay, and the United Kingdom of Great Britain and Northern Ireland.

A pivotal case comes out when personal data is transmitted to a country outside of the list of EEA states or the list of countries approved by PDPA as complying with the adequacy criteria. In this case, data controllers shall have a legal basis for such transfers, either by having as a ground a legal exception (inter alia if such processing is carried out according to a treaty Moldova and the destination country are parties of; based on data subject’s consent for such a transfer) or if the transfer is based on standard contractual clauses (SCC) concluded between the Moldovan controller/processor and the controller/processor located in a country not party to the EEA or not listed by PDPA as complying with the adequacy criteria.

On 22 April 2022, PDPA has approved the template of SCC – as a further innovation for the Moldovan data protection legal framework. The SCC were developed to implement Article 32 of PDP Law, with provisions establishing appropriate guarantees for all parties involved (both for its signatories and the data subjects affected), including opposable rights of data subjects and effective remedies concerning cross-border transmissions of data from controllers to controllers, from controllers to processors, and from processors to controllers.

The substantive difference between the EU and Moldovan SCC is that the latter cover only three transfer scenarios, namely controller-to-controller, controller-to-processor, and processor-to-controller, without processor-to-processor scenario covered. Therefore, it falls on the parties’ responsibility in this last scenario – 2 processors – to safeguard adequately their and data subjects’ rights by concluding the pre-approved SCC amended mutatis mutandis.

The Moldovan SCC are structured in 4 sections and 17 modular clauses characterized by flexibility, as the parties can tailor clauses to their particular data processing activities. The most important SCC provide:
• guarantees for the protection of personal data transmitted abroad;
• obligations of the processors relating to the fulfillment of the contract;
• rights of data subjects;
• liability of the parties for damage caused to the data subjects following non-compliant data processing;
• remedies available to data subjects in case of violation of data processing and storage provisions;
• obligations of the data importer in case of access of public authorities and the obligation of the data importer;
• the exclusive competence of Moldovan courts concerning all disputes arising from the SCC;
• a “docking clause” allowing additional parties to join the contract in the future.

Section 4 of the SCC states that the data exporter is entitled to suspend any data transfers when the contractual clauses have been infringed by the importer and in case there are no remedies, the contract may be terminated by the exporter after one month.

Further, two important annexes have the purpose to corroborate the principles of transparency and accountability to the SCC.

The first annex is divided into two sections: (1) first relates to specific information on the transfers that must be carried out (including names, addresses, and activities associated with the data transfer), and (2) the second covers description of the transfer, which shall categorize the transferred data, frequency, data retention period, purpose, and nature of processing.

The second annex includes technical and organizational measures that shall guarantee the security of personal data processed – these shall be implemented by the importer in order to ensure an adequate level of data protection.

As a novelty in the Moldovan data protection legal framework, it now falls within the responsibility of PDPA to ensure an uniform and predictable practice of SCC implementation, as well as to ensure the Moldovan practice is inspired from the international (in general) and European (in particular) best practices in this field.

By Iulian Pașatii, Partner, Constantin Crețu, Junior Associate, Gladei & Partners

Moldovan Knowledge Partner

ACI Partners is a leading law firm in Moldova with an expanding network of partners throughout Europe. ACI Partners was established in 2006 and since then has managed to build a very strong and competitive legal practice. Our business strategy strives to deliver a solid and reliable service, going beyond merely grasping the law, which the clients may turn to whenever they need. In reaching this goal, ACI Partners employs a personalized approach to each client, showing a genuine respect for their values and unqualified commitment to their interests and needs, steadily investing in knowledge and data management and ensuring a working environment consistent with our clients’ quality demands and high expectations.

ACI Partners is a one-stop shop law firm proficient in all possible legal matters a business might come across in Moldova, starting with incorporation of a business, and obtaining of all the necessary regulatory permits, continuing with various daily matters, such as contracts, labor, and migration, and finishing with dispute settlement, insolvencies, and criminal investigations. But we pride ourselves especially for our unmatched expertise in most innovative and complex areas for Moldova, as Modern Financial Products, Data Protection, Renewable Energy, Competition, Clinical Studies, Public Procurement, and Regulatory. In our work, we always involve a team of professionals with the relevant skill-mix, which enables us to provide our clients with an integrated and comprehensive advice, superior to our competitors.

ACI Partners has advised the Government of the Republic of Moldova, businesses, international organizations, and other institutions on most challenging transactions, assignments and projects.

ACI Partners is not just another law firm. Over the course of our existence and working in Moldova, and on the international stage for our non-Moldovan clients, we have developed a strong set of core values which, we believe, guide us in everything that we do and, moreover, gives us a competitive advantage – differentiating us from other firms on the market.

Firm's website.

Our Latest Issue