There are frequent breaches of the law on personal data protection in the information system of both public and private institutions from Moldova. The web pages of courts display openly certain decisions that contain personal data such as the name, surname, patronymic, date of birth, origin, residence, nationality, citizenship, education, personal code, information that relates to the physical, physiological, mental, and economic and other personal elements.
The only authority empowered to perform the control concerning personal data processing is the National Center for Personal Data Protection of the Republic of Moldova (NCPD). In its last activity report (2015), the NCPD has presented several cases of serious breaches of the law on personal data protection by public authorities and private companies.
Disclosure on the Internet of personal data by CEC, SRC and CRIS "Register”
Today, the web pages of public institutions are real sources of information for investigative journalists and ordinary citizens. Thus, the information on shareholders / founders of companies, on political parties’ funders, as well as the approved resolutions etc. can be obtained free of charge or for a certain amount of money. However, this kind of information in some cases are subject to personal data protection, a context that raises a conflict between the law and the public interest.
In late May this year, the NCPD ordered the CEC and the SRC that offered public data, to no longer provide it, as that information contain personal data.
In the case of the CEC, based on a petition submitted by a citizen, NCPD found that the list of entities that have accessed the personal data that related to her included the Central Election Commission, which revealed the information with limited accessibility. The CEC announced that it has done that to ensure institutional transparency. However, shortly, the CEC declared that it ceases the functionality of the operated websites, for the alleged reason that ,,Center representatives have requested the suspension of these web sites", a fact that has been denied by the Centre. The NCPD says that the activity of the web sites managed by CEC was suspended, however, the possibility of accessing the electronic address from which certain information with limited accessibility could be viewed, could not be stopped. The opportunity to access the email address, where a significant amount of unrestricted personal data recorded in correspondence documents to CEC could be viewed, was stopped only after informing the SIS on this case.
Accordingly, the Center notified the competent law enforcement bodies in order to examine the case within criminal investigation, the report said.
In case of the SRC, the Center notes that it sells personal data. SRC provides (at the initiative of the Government), the information about the founders and shareholders of companies. Some of this information is provided free of charge, others versus payment.
Thus, after the initiated inspection, the Center found that SRC reveals / sells the information with limited access to any person who pays a certain amount of money and that it processes the personal data of employees / visitors by means of video surveillance mounted in the hallways of the institution as well as in its offices - without having informed the Center on this recordkeeping system. The enterprise would have not displayed the inscriptions on the existence of video cameras, through which employees / visitors would be informed about the operations on personal data processing through video devices thus violating several legal provisions. Following the findings, the Centre ordered the cessation of personal data processing by SRC regarding the enterprises’ associates – individuals, and suspended the processing of personal data through the video surveillance system. Also, the NCDP ordered the beginning of the administrative offence process on the SE ,,State Registration Chamber", as well as on responsible persons
A large number of public and private entities take advantage of the information services provided by SE "CRIS"Register" through CIS "Acces-web". According to the NCDP, they were processing personal data stored in the state information resource.which comes against legal provisions by the fact that they were not registered in the Register of personal data operators, as stipulated in the contracts on information provision between SE "CRIS"Registru"and the beneficiary entities. Thus, the NCDP found out the illegal nature of personal data processing and ordered the Ministry of Information Technology and Communications of the Republic of Moldova, together with SE "CRIS" Register" to terminate the processing. Subsequently, SE" CRIS "Register" terminated the contracts on the provision of services covered by entities that were not registered as operators in the Register of personal data controllers, stopping the possibility of accessing / processing the information stored in the State Register of population by the representatives of these entities.
These were very sound cases highly published by the press.
According to the expert in media law, Mrs. Olivia Pîrţac, cited by media-azi.md, specialists from the NCPD insist on the idea of personal data protection and disclosure only with the consent of the person concerned. According to the expert, the center does not consider the concept of public interest or priority information disclosure in relation to the interest of the person on keeping it closed.
Unlawful processing of personal data concerning health
During 2015, a special attention was paid to ensuring the lawfulness of personal data processing concerning health, particularly by the public health care institutions, bearing in mind that this information is part of the special category of personal data constituting a medical secret.
In one of the cases detected by the NCDP it is shown that citizen G. M. addressed a complaint, alleging that the lawyer of a citizen who caused a road accident, which resulted in the death of a relative of the petitioner, requested and received from a health center the medical records of the deceased person, where all the diseases the deceased suffered of (from birth till death) have been recorded, as well as those of the citizen. G.M. and of his minor children, in order to add them to the criminal case. G.M. noted that he did not agree that the data regarding him and his minor children to be processed, considering that providing the access to medical records and their release related to them was illegal. The NCDP found that the medical records were released to the lawyer by a nurse of the medical institution, after a consultation with the family doctor and the chief doctor. Thus, the Center found that the medical staff and the lawyer violated the Law on personal data protection, which is why an administrative offence procedure was initiated on 4 persons (the lawyer, the nurse, the family doctor and the chief physician).
Identification data of sexually abused minors, exposed on internet
According to the report of the NCDP during the period 2014 - 2015, most courts were registered as operators in the Register of personal data operators, also noting that by now the Supreme Court of Justice opposes to the obligation to notify the Centre on the use of such data.
A sound case in this category was related to identification data disclosure of certain sexually abused children. In May 2015, the Women Law Center notified the NCDP on the unlawful personal data processing by Chisinau Rişcani sector Court that published in the internet, under an unrestricted regime, certain personal data regarding children / minors (name, surname. home address, date of birth). Moreover, the published statement contained information on the sexual abuse of these children, this being an information which is part of a special category of personal data. According to the NCDP Rīşcani Court's judicial assistant would have inadvertently published the respective information on the website of the institution, without the depersonalization of personal data.
Though the publication of such data is contrary to the law, no one was punished. The Center claims that it did not react, because the limitation period had expired, but it noted that the persons the respective data relates to can personally use their right to justice.
According to the portal bizlaw.md, citing the same report, most institutions that violate the use of personal data do not come to bear responsibility because courts delay the examination of such cases even for two years, whereas the limitation period is only of 3 months from the time of the infringement. As a result, there is only the statement of the infringement without anyone being punished. Moreover, the institution responsible is not even obliged to remedy the infringements.
Not-updated criminal record
The consequences of not updating the information stored in the personal data recordkeeping systems are also punished.
In another case brought by the NCDP, a citizen sent a complaint on the processing inaccurate personal information stored in the register of forensic and criminology data, managed by the Ministry of Internal Affairs. The person declared that following the request of obtaining the criminal record he found out that there are 5 criminal cases filed against him, of which 4 have been filed and a case is sent to court for settlement. However, when presenting the information the MIA’s subdivision did not have the information on the finality of the last case, arguing that it had not received the final sentence. Following this event, the amount of 5000 lei as pecuniary and moral in favor of the citizen was withdrawn from the bank account of Edineţ District Court, whoch was guilty of not sending the sentence, and the information about him has been updated.
MIA employees are processing personal data without legal basis and purpose
The Police Sector processes a large volume of personal data. Thus, the most often cases noticed by the Center relate to the verification of the legality of personal data processing carried out by law enforcement officers. In 2015 the Center found a number of violations in this regard.
In the case presented in the report it is also mentioned the initiation of a control of the lawfulness of personal data processing, stored in the State Register of Population, conducted by authorized users of the Ministry of Internal Affairs (MIA), initiated on the basis of the complaint of citizen. G. D. The Center found that the chapter entities / subdivisions that have accessed the personal data related to the petitioner listed a division of MIA. As a result, the Center requested MIA to present the information on the purpose, the legal basis and the causal link between the need to access / process the data on citizen G. D. and the material being examined. However, because it has not received all the required information, under the pretext of avoiding the disclosure of the information within the criminal prosecution procedure, the Center sent the materials collected during the control to the Prosecutor General’s Office.
The private sector: the case of ”StarNet Soluții” LTD and ”Elite Casting Agency” LTD
In 2015, several violations of personal data processing were found in the private sector, as well.
One of the most widely published and sound cases was that of Starnet, which placed the personal data of company's customers on the Internet, under unrestricted on-line regime. As a result, the Centre had initiated a control of the lawfulness of processing this limited access information, after which the following violations have been confirmed: the unauthorized access to information record systems; processing of personal data stored in the recordkeeping systems managed by Starnet, in the name and on behalf of the operator, by another company, the non-secure security space, the unrestricted access to the premises / offices / corporate offices where personal data information systems are placed and to the place where such data is processed. In addition, in the case of Starnet, the Center found that the video surveillance system placed in hallways and on the territory of the company is managed without displaying the appropriate inscriptions. Thus, the Center ordered starting an administrative offence process on Starnet.
In another case, Starnet has entered into a dispute with the Competition Council (CC) for refusing to provide personal data of its customers and employees at the request of the CC during a competitive investigation on a potential case of unfair competition, committed by Starnet in 2011.
In this regard, according to bizlaw.md, on 25 May this year the Supreme Court of Justice made a judgment according to which the registration as a personal data operator doe not serve as a background for the Competition Council to have access to data personal.
This is a demonstration of the risk of a conflict between the private interest of individual privacy and the public interest (protection of competition in this case). The private interest prevailed in the SCJ’s decision.
In case of the ,,Elite Casting Agency" LTD, following an inspection, the NCDP found several nonconformities: personal data processing of employees and prospective employees, visitors, customers, prospective customers and managing multiple filing systems of personal data without notifying the Center; lack of documents that would describe the security policy when personal data processing and the person responsible for the personal data security policy; performing the cross-border transfer of personal data concerning the customers of the respective entity (including minors), without any authorization etc. As a result of the control, the Centre has decided to suspend the personal data processing operations by the agent and to start an administrative offence investigation in respect to the LTD "Elite Casting Agency" and the responsible person.
Unlawful processing of personal data by banks
Financial institutions are also massively processing personal data. In one of the cases presented in the report, the Centre was informed by a citizen who alleged unlawful processing of personal data by a bank, performed by public display of the computing devices of the entity. Carrying out an unannounced control at the bank’s branch, the NCDP found that the wall that limits the security area was made of transparent glass, which gives the wide public an unrestricted access and the possibility of viewing / collecting the personal data processed inside the bank. Simulating possible methods of data processing, the Center has determined that video images of limited accessibility information can be freely taken from the exterior / public space. Following the control, the NCDP ordered the suspension of personal data processing by the subsidiary bank until the adjustment of the findings. Subsequently, the bank informed the Centre that it had adjusted the findings by stacking ,,protective" films on the glass windows. The bank also noted that the same principles of transparency are used by the European Financial services group, whose member it is. In this context, the Centre has requested international legal assistance from the Authority for personal data protection from the European Union member country where the respective Financial services group performs its activity, to comment on the case.
Political parties can only process the data of their members
According to the NCDP, several political parties still have not aligned themselves to the principles of personal data protection. During 2015, the Center found several violations admitted by them after several people filed certain complaints to the Centre on the unlawful processing of personal data by several political parties through the collection, retention, use, disclosure and transmission of such data (name, surname, patronymic, home address) recorded in letters and / or envelopes sent to them, including of those who are not members of political parties. The Center has determined that these cases are ungrounded and excessive. Processing of personal data of subjects who are not party members, without their consent, is prohibited by law. Following the detected cases, the Centre issued a general decision, mandatory for all political parties, by which it ordered the operations on personal data processing concerning the persons that are not party members to be stopped, unless based on their consent.
The Centre proposed a legislative initiative by which the fines for those who use personal data without complying with the law would be increased. Thus, the fines could rise from 10 thousand lei to 100 000, 500 000 and even 1 million lei.