Draft Law On Personal Data Processing

The Parliament adopts the present organic law, according to the Article 72 of the Constitution of the Republic of Moldova.

Chapter I
General Provisions

Article 1. Object and Purpose
(1) The purpose of the present law is to guarantee the respect and to ensure the individuals’ fundamental freedoms and rights of protection, in particular the right to privacy, with regard to personal data processing.
Article 2.Area of Enforcement
(1) The act of the present law is applied to the personal data processing, which are component parts of the evidence system or which are designated be included in such a system, processed entirely or partially by whatever medium, inclusively automatic one.
(2) The present law shall be applied in the following situations of the personal data processing:
a) the personal data processing, executed by individuals, in condition stipulated in par. (1) of the present article;
b) the personal data processing, executed by individuals, who are abroad, to the extent to which it does not contravene with international convention provisions and treaties the Republic of Moldova is party;
c) the personal data processing, executed by individuals, who are abroad, using the means of personal data processing which are on the territory of the Republic of Moldova.
(3) The present law shall be applied to the processing of personal data, executed by any individual or legal entity. Exception can be the processing of the personal data executed by individuals exclusively for their own use if these data are not to be disclosed.
(4) Within the limits of the present law, it shall be applicable to the personal data processing and transfer, executed in the framework of prevention and investigation activity or other activities carried out in the criminal procedure domain, according to this law.
(5) The provisions of the present law are not applicable to the processing and the transfer of the personal data, executed in the framework of the national protection and security sphere, carried out at the extent set by this law.
Article 3. Legislation
(1) The legislation on personal data processing is based on the Constitution of the Republic of Moldova, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, other international treaties the Republic of Moldova is party, this law and other regulatory legal acts in force.
(2) If there is a discrepancy among the provisions of international treaties to which the Republic of Moldova is party, the provisions of the international treaties shall be applied.
Article 4. Definitions
(1) For the purposes of this law:
personal data- means any information related to the direct or indirect identification of an identified or identifiable individual, the identification number of person (IDNP);
personal data subject- personal data related to an individual who is able to use them at the extent of the present law;
personal data holder- any individual or legal entity legally authorized to process personal data;
personal data processing- any operation or set of operations the personal data are subject to, by whatever medium, inclusively: data collection, registration, organization, storage, processing, specification, adaptation, modification, extraction, counseling, offer to access, use, transfer, dissemination, blocking or erasure;
personal data transfer- the offer of personal data to a third party, by its holder, in conformity with this law.

Chapter II
Basic Principles of Personal Data Processing

Article 5. Quality of Personal Data
(1) Personal data undergoing processing shall be:
a) obtained and processed fairly and lawfully;
b) collected and registered for legitimate purposes and not used in a way incompatible with those purposes;
c) adequate, relevant non excessive in relation to the purpose for which they are collected and registered;
d) accurate and, where necessary, kept up to date;
e) preserved in a form which permits the identification of the individuals for no longer than it is required for the purpose for which those data are collected and registered.
Article 6. Personal Data Processing
(1) The processing of the personal data shall be executed with the consent of the interested person.
(2) The consent of individual is not necessary when:
a) the personal data processing is necessary for life protection, physical integrity or health protection of the interested person or other rights and freedoms;
b) the personal data processing is necessary for State security, ensuring the national security in the interests of the State monetary system or crime control;
c) the personal data, from available sources, are subject to processing, according to this law;
d) the personal data processing is done exclusively for statistic, scientific research or historic purposes.
Article 7. Processing of Special Categories of Personal Data
(1) The personal data revealing racial or ethnic origin, political opinions or religious or other beliefs, personal data concerning health or sexual life as well as data relating to criminal responsibility constitute special categories of personal data.
(2) The processing, inclusively storage of special categories of personal data, shall be executed only after the written consent of the data subject.
(3) Without written consent of data subject, in condition of private, family and intimate life protection of data subject, the processing of personal data shall be applicable in the following cases:
e) when data processing is necessary for life protection, physical or health integrity of interested person or of another person, if the interested one is a legally incapacitated person incapable of free decision to give a written consent;
f) when processing refers to data, disclosed by the interested person;
g) when processing is necessary for preventive medicine, to diagnose, to prescribe a medical treatment for the interested person on condition that the processing of respective data shall be executed by or under the medical personnel supervision that must respect the confidential nature of the information or by any other persons that are subject to an equivalent obligation regarding confidentiality;
h) when law provides this necessity in order to ensure the protection of some important public interests, on condition the processing to be done lawfully, respecting the rights and guarantees of the interested individual, set by this law;
4) Personal data regarding some categories of public employees and members of their families (husband, wife, and children) also constitute a special category of the personal data, the special regime of its application is set by the Government.
Article 8. Public Personal Data
(1) In order to provide population with necessary information, personal data shall be disclosed, after the written consent of data subject and included in: handbooks, phone books and in other similar sources of information.
(2) The following personal data regarding the interested person that are not confidential become public: surname, name, patronymic, year and place of birth, address, telephone number, information regarding his profession, other information offered by the data subject, obtained from legal open sources.
(3) In case the personal data holder collects personal data from public sources or from other available data banks, the holder of these public data, is obliged to inform the data subject about the volume, nature and use objectives of the personal data.
(4) The use of the public personal data shall be prohibited in the following cases:
a) in case of written request of the data subject;
b) in case of law authority decision.
Article 9. Personal Data Storage and Modification
(1) The present law and other acts shall establish conditions and terms of personal data storage, taking into consideration objectives of data collection respecting the rights and freedoms of the data subject. The personal data shall be destroyed or erased when they are no longer necessary for those purposes.
(2) Personal data files, act of civil status registers and other personal data are stored for archive purpose or for other purposes, set by this law, from the moment of enactment of their use.
(3) Personal data holder is obliged to introduce modifications into the data content, hold by him, on condition of reliable documentary confirmation of personal data, in the following cases:
a) from the data subject initiative which follow to be modified;
b)  by own initiative;
c) in other cases, provided by legislation.
4) After the personal data processing, if the interested person has not given his written consent for another purposes or for its further processing, the personal data holder is obliged to destroy them or transmit to another holder, on condition that previous holder guarantees that the next processing shall have similar objectives with those executed initially or stored exclusively for scientific or historic purposes.
Article 10. Rights of Personal Data Subject
(1) Any person shall be enabled:
a) to establish existence of personal data file, identification and habitual residence or headquarters of owner, holder or user of the file;
b) to obtain at reasonable intervals and without excessive delay or expense both confirmation of existence or non-existence of personal data and communication of such data;
c) to obtain rectification or erasure of personal data, if these have been processed contrary to the provisions of the present law or existing legislation;
d) to submit a request to juridical competent bodies regarding rights and freedoms violation, set by the present law.

Chapter III
State Control in Personal Data Sphere

Article11.Regulation Body in Processing and Using Sphere
(1) State control in the guarantee and protection sphere of human rights and freedoms for personal data processing and use is exercised by the Human Rights Center, which activates independently, impartially and ensures professional security.
(2) For the purpose of achieving and ensuring the execution of the present law, the Human Rights Center shall exercise the following basic functions:
a) participation in the elaboration of the State policy of human rights and freedoms protection domain in the sphere of personal data processing and use;
b) realization of the control on respect and execution of this law;
c) the minutes drafting in accordance with administrative legislation regarding the present law breach;
d) offering to individuals specialized juridical assistance;
e) registration of personal data holders;
f) in case of the present law breach, to require intervention of the law-enforcement bodies;
g) cooperation with public authorities regarding issues of their activity in the field of human rights and freedoms on personal data processing and use;
h) cooperation with similar foreign authorized bodies with regard to human rights and freedoms on personal data processing and use;
i) representation of the interests of the Republic of Moldova in international organizations with regard to human rights and freedoms on personal data processing and use;
j) other functions, set by the Government.
Article 12. Register of Personal Data Holders
(1) The Human Rights Center shall elaborate and carry out the personal data register in order to register the personal data holders. The personal data register shall contain the following information:
a) information regarding personal data banks;
b) name or title of the personal data holder;
c) objective and method of collecting and use of personal data;
d)  juridical regime and their storing period;
e) subject categories and groups of the personal data;
f) personal data sources;
g) measures of security and confidentiality;
h) responsible persons for personal data processing;
i) other information, established by the Government.

Chapter IV
Confidentiality and Security of Personal Data Processing

Article 13. Confidentiality of Personal Data
(1) The personal data, possessed by the data holder, are confidential according to the legislation on access to information.
(2) From the moment of data subject decease, personal data related to him are used for archive or other purposes, set by the law, only after the successors consent.
(3) The confidential regime of personal data shall be canceled in the following cases:
a) in case of data subject request submission;
b) in case of personal data depersonalization;
c) after the expiration of 75 years of personal data storage .
Article 14. Personal Data Security
(1) Persons that deal with personal data processing are obliged to apply adequate security measures, in order to ensure protection of the personal data against accidental or non-authorized destruction, accidental loss, against non-authorized dissemination, modification or access.
(2) The minimal security requirements are mutually set by the
Human Rights Center with other public authorities in charge.
Article 15. Personal Data Depersonalization
(1) For the scientific, statistic, sociologic, medical etc. purposes, the personal data holder depersonalizes them, by withdrawing from its framework the part that permits identification of a certain individual, offering them, in such a way, an anonymous form that can not be associated with an identified or identifiable person.
(2) In case of depersonalization the confidential regime, set for these data, is canceled.

Chapter V
Personal Data Transborder Transfer

Article 16. Transborder Flow of Personal Data
(1) The following provision shall be applied to the transfer across national borders, by whatever medium, of personal data undergoing processing or collected with a view to their being processed.
(2) Personal data, that are on the territory of the Republic of Moldova or which are designated to transfer to other states, are protected in accordance with the present law and cannot be illegally falsified or used.
(3) The transborder transfer of personal data undergoing processing or with a view to their being processed after transfer shall occur only unless:
a) the respective state ensures an adequate level of protection of the rights of the data subjects and of the data designated to transfer;
b) in other cases, in accordance with international treaties the Republic of Moldova is party.
(4) The protection level shall be established by the supervising authority, taking into consideration condition of data transfer, especially nature of the data, the objective of data transfer and processing, the final designated state, legislation of the requesting state. In case the supervising authority concludes that the protection level offered by the designed state is unsatisfactory it can prohibit data transfer.
(5) It is not submitted to a special control or prohibits the personal data transborder transfer, from other states, through the territory of the Republic of Moldova, except cases contradicting legislation of the Republic of Moldova.
(6) The personal data transfer to the states that do not ensure an adequate protection level can occur only in the following cases:
a) with the written consent of the transferred data subject;
b) in case of need to enter/to execute an agreement or a contract between the data subject and its holder, or between data holder and a third party on behalf of data subject;
c) if the transfer is necessary to protect data subject rights, freedoms or interests;
d) in case when personal data come into public.

Chapter VI
Final and Transitional Provisions

Article 17. Responsibility for the Present Law- breaking
(1) For the present law violation the guilty person is responsible in conformity with civil, administrative and criminal legislation.
(2) The Ministry of Internal Affairs, the Human Rights Center and the Information Service and Security identify the fact of violation of provisions of the present law, within the limits of their competence.
(3) Sentences, regarding violation of the present law, are applied by the competent judicial instance.
Article 18. Final and Transition Provisions
(1) The Government in three months:
a) shall present to the Parliament suggestions regarding harmonization of legislation in accordance with this law;
b) shall put their normative acts in accordance with this law;
c) shall approve the Regulation regarding special regime of personal data use regarding some categories of public employees, elaborated by the Information Service and Security;
d) shall ensure the execution of department normative acts in accordance with this law.

Next PostNewer Post Previous PostOlder Post Home


Post a Comment