Financial Crime World

Here is the rewritten article in markdown format:

Data Protection Laws in Moldova

Data Protection Officer (DPO)

In Moldova, a Data Protection Officer (DPO) must be appointed by organizations that process personal data. The DPO plays a crucial role in ensuring compliance with data protection laws and regulations.

  • Selection and Appointment: The DPO must be selected and appointed based on professional qualities and expert knowledge of data protection law.
  • Independence: The DPO may not receive instructions from the controller or processor regarding their tasks.
  • Responsibilities:
    • Informing and advising the controller, processor, and employees on data protection obligations.
    • Monitoring compliance with the Law and related policies.
    • Providing advice on Data Protection Impact Assessments (DPIAs).

Data Breach Notification

While there are no specific provisions in national law on data breach notification, controllers must notify the National Centre for Personal Data Protection (NCPDP) annually of all system security incidents.

Data Retention

Data must be kept in a form that permits identification of data subjects for no longer than necessary for the purposes of collection or further processing. When processing is finished, data must be:

  • Destroyed: Data must be destroyed after it is no longer needed.
  • Transferred to another controller (with same purpose): Data may be transferred to another controller with the same purpose as the original collector.
  • Transformed into anonymized data: Data can be transformed into anonymized data, which is no longer identifiable.

Children’s Data

Children’s personal data may be processed without special conditions, except for obtaining consent from legal representatives. The general rule is that a person has full legal capacity at 18 years old.

Special Categories of Personal Data

Processing of sensitive data (e.g., criminal convictions) may only be carried out by public authorities within their competencies and on the conditions set by laws regulating these areas. A DPIA may be required before processing this type of data.

Controller and Processor Contracts

When data processing is carried out by a processor, the controller and processor must agree on:

  • Scope and duration of the contract: The scope and duration of the contract between the controller and processor.
  • Processor’s obligations regarding data protection: The processor’s obligations regarding data protection.
  • Measures to ensure compliance with the Law: Measures to ensure compliance with the Law.