One of the most important recent buzzwords in Moldova, at the intersection of legal services and IT, is GDPR compliance and its associated complications (and opportunities) – to strictly follow both the GDPR (where applicable extraterritorially in Moldova) and the Moldovan legal framework, which is partially aligned with the EU law.
Two recent legal amendments to the Moldovan Data Protection Law 133/2011 – one enacted on January 10, 2022, and the other just voted in the second reading before the Moldovan Parliament two weeks ago – are finally solving several fundamental discrepancies between the Moldovan and EU laws.
Firstly, a detailed legal regime has been introduced in the Moldovan law for the cross-border transmission of personal data, allowing a free movement of data between Moldova, the EEA states, and the countries ensuring an adequate level of personal data protection, as approved by the Moldovan regulator. This list currently includes countries like Argentina, Canada, Israel, Switzerland, or the UK.
Secondly, the problem of transferring personal data outside of EEA and the approved countries has been solved by approving the Moldovan version of the standard contractual clauses (SCC) covering three data-transfer scenarios: controller-to-controller; controller-to-processor; and processor-to-controller.
Accordingly, if a controller/processor processes personal data originated in or transferred to the Republic of Moldova – and the processing operations are carried out in a country that is neither a party to EEA, nor on the Moldovan regulator approved list – it must sign the Moldovan SCC with the Moldovan counter-party. It must also proactively ensure that its own onward transfers to sub-processors provide adequate safeguards – even though the primary responsibility is on the controller and exporter of personal data to make assessments before allowing any personal data to be transferred outside of the EEA or the pre-approved list of countries.
Further, a significant legal amendment passed recently, which introduces the concept of “sub-processor” to Moldovan legislation, regulating that a processor shall not engage another processor without prior specific or general written authorization of the controller; in the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby allowing the controller to object to such changes. Before this legal amendment, any third party involved in data processing operations on behalf of the controller, under Moldovan law, was required to sign direct data processing agreements with the controller, basically prohibiting processing subcontracts from being signed by the processors.
The same legal amendment elaborates that when a processor engages another processor for carrying out processing operations on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the (first) processor shall be further imposed on the other (sub)processor by way of a contract or other legal act – particularly providing sufficient guarantees to implement appropriate technical and organizational measures meeting the requirements of Moldovan law. Where that other processor fails to fulfill its obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
As a formal pre-approval step, to engage a sub-processor, the processor needs to have the controller’s written permission. The permission and terms of engagement of a sub-processor might be covered by the agreement between the controller and processor or documented at a later stage in a separate writ. If the controller has approved the engagement of a sub-processor, the processor shall sign a contract or other legal act requiring the sub-processor to meet the legal requirements under Moldovan law.
Naturally, the alignment of the Moldovan data protection law with the GDPR – with its complex case law and practical solutions – seems to be a good long-term solution for the Moldovan data protection legal framework. It remains to be seen whether the Moldovan practice will follow the same approach as in the EU.
By Iulian Pasatii, Partner, and Constantin Cretu, Junior Associate, Gladei & Partners
This article was originally published in Issue 10.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.