03
Tue, Dec
29 New Articles

Moldova’s EU-Inspired Path to Enhanced Data Protection

Issue 11.5
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In light of Moldova’s recent candidacy for European Union membership, significant political and legal reforms have been undertaken to align the country’s laws with EU standards. Among these changes, the data protection legal framework has seen notable upgrades to mirror the General Data Protection Regulation, with Gladei & Partners Partner Iulian Pasatii emphasizing the introduction of contractual clauses for data transfers and the new concept of subprocessors. According to him, these changes aim to reduce bureaucratic burdens, particularly benefiting Moldova’s IT sector, while presenting opportunities for clearer guidelines and enhanced data protection practices. However, challenges remain as Moldova strives to balance stringent EU-aligned regulations with the flexibility needed for business growth.

CEELM: Can you provide some background on the recent updates to Moldova’s data protection legal framework?

Pasatii: The recent upgrades to Moldova’s data protection legal framework are part of a broader political and legal shift toward aligning with European Union standards. With the Republic of Moldova receiving candidacy for EU membership in June 2022, there has been a strong push to amend various laws to meet EU criteria. Among these crucial amendments is the alignment of Moldova’s data protection laws with the General Data Protection Regulation (GDPR). While our laws are not identical to the GDPR, this alignment signifies a political commitment to adhere to EU policies and views on data protection.

CEELM: What are some of the crucial amendments introduced in this update?

Pasatii: One of the key changes is the introduction of contractual clauses for data transfers. While these clauses have been standard in the EU for quite some time, they are relatively new in Moldova. These now cover data transfers between controllers, controllers to processors, and processors to controllers. Previously, Moldovan controllers faced significant challenges in aligning with foreign partners due to the absence of these standardized clauses. The recent approval of these clauses by the Moldovan regulator, although late compared to the EU, marks an essential step forward.

Another significant change is the introduction of the subprocessor concept, which was not part of Moldovan law until about a year ago. This change is particularly relevant for IT sectors and data protection controllers as it facilitates smoother data processing operations involving subprocessors located abroad.

CEELM: Content-wise, what else is new in the framework? How does it compare with the EU standards?

Pasatii: The primary difference between Moldova’s current framework and the GDPR is the scale of sanctions for non-compliance. In Moldova, fines for data protection violations are relatively small, usually amounting to a few hundred euros. This is in stark contrast to the GDPR, where fines can reach up to 4% of a company’s global turnover, potentially amounting to millions of euros.

While the smaller fines in Moldova provide some operational freedom for businesses, they also highlight a critical area for future improvement. The Moldovan government has already put on its agenda a new data protection law aimed at aligning these fines more closely with GDPR standards, though we are still discussing significantly lower amounts compared to the EU.

CEELM: How have these changes impacted businesses?

Pasatii: The IT sector in Moldova has been significantly impacted by these legal amendments. The new framework reduces bureaucratic burdens and streamlines processes for submitting documents to foreign partners, controllers, and processors. This positive change is expected to boost economic activities by enabling data processing operations, cloud solutions, and other business ventures at a larger scale.

Before these amendments, pre-approval procedures could take anywhere from six months to a year, significantly delaying projects. The elimination of these procedures means that Moldovan businesses can now operate under rules similar to those in the EU, facilitating smoother and faster implementation of projects in the ICT area.

CEELM: What are the main opportunities and potential pitfalls of this new legal framework?

Pasatii: One of the main opportunities presented by this new framework is the clearer guidelines on data transfers and operations in a multi-jurisdictional market. By adopting standards similar to the EU, Moldovan businesses can now ensure the same level of data protection, which is crucial for success in international markets. Following the EU’s lead in this area is beneficial because it allows us to leverage their experience and best practices.

However, there are also challenges. While aligning with the EU framework brings a more mature and regulated environment, it also introduces higher fines and stricter regulations, which can be daunting for some sectors. The key will be finding a balance that ensures robust data protection without stifling business innovation.

CEELM: Are there any new specific rules or provisions worth noting?

Pasatii: Yes, we now have specific rules and provisions covering data protection impact assessments. These assessments include various aspects that have been part of the GDPR for quite some time. This addition is a positive step as it provides a structured approach for evaluating and mitigating data protection risks, further aligning our practices with EU standards.

CEELM: Looking to the future, how do you see the Moldovan regulator treating these new rules?

Pasatii: The future treatment of these rules by the Moldovan regulator will be critical. While the current framework aligns closely with the GDPR, it will be interesting to see how the regulator adapts these rules to the Moldovan context. The approach to data protection in Moldova will need to balance strict compliance with practical flexibility to support business growth. As we gain more experience and develop best practices, I believe Moldova will continue to refine and improve its data protection landscape.

This article was originally published in Issue 11.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.