INTRODUCTION
Personal data processing helps to achieve the goals of each organization and is closely related toits main activities. However, processing of personal data is subject to specific national or international regulation. Personal data processing requirements in European Union (EU) are set up now by EU General data protection regulation (GDPR). GDPR will be applicable from the 25thMay 2018.
Many companies in Moldova are serving for companies in EU thus offering goods and services. For example, In the year 2017, the total export of goods to the EU from Moldova was 1596,6million US dollars, representing 65,8% of the total exports of goods that year.[1]An important part of all citizens of the Republic of Moldova has work and business relations with other EU countries. Besides that, the state has decided to develop country integration in EU and to implement EU rules in different sectors, including data protection. In this context, there will be more and more situations when companies in Moldova are subject to the direct applicability of GDPR or to indirect applicability when a company serves as a processor for the company in EU.
The aim of this study, first of all, is to raise awareness concerning cases of direct applicability of GDPR to companies in Moldova and offer recommendations for implementation of GDPR principles and explanations of main GDPR requirements as well.
This impact study was prepared to take into account results of meetings organized by National Center for Personal data protection (NCPDP) with private sector associations and companies and review their answers on existing data processing practice as well.
This document consists of three main parts: a) explanation of main terms of GDPR b) indication of all typical situations where GDPR are directly and indirectly applicable to company operating in Moldova with some examples b) data protection recommendations concerning GDPR implementation steps and main understanding of core requirements.
1. TERMS AND DEFINITIONSThis chapter reflects only most important definitions of terms that are included in GDPR. Other relevant terms can be found in Article 4 of GDPR.
1.1. WHAT IS PERSONAL DATA?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.For example, person identification data related to any other information are personal data. Even internet protocol address (IP address) is personal data under certain circumstances if a company collects IP addresses together with some other information.
Personal data that has been de-identified, encrypted or pseudonymizedbut can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymization must be irreversible.
GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.Also, the place of personal data storage is not important if applicability criteria indicate that GDPR is applicable.
1.2. WHAT IS PROCESSING?
Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
GDPRapplies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.
1.3. CONTROLLER and PROCESSOR
Controller- means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Joint controller- where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them. The arrangement may designate a contact point for data subjects.
Processor - means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller (for example, the controllerfrom EU transfers personal datato the processor in Moldova).
2.APPLICABILITY OF GDPRIf there is almost no doubt about the applicability of GDPR if company establishment is located in EU, there could be some issues when and how GDPR applies,if the company is established in Moldova.GDPR may be directly applicable to any company established in Moldova if certain criteria of its activities with personal data processing take place. Besides that, even if GDPR directly applies to a company of Moldova because of activities it is performing towards EU market, the national law on data protection in Moldova may be applicable as well. Thus, the company will need also implement national requirements, if they differ from GDPR regime.
Thus,the general sequence of criteriaconcerning GDPR applicability will be as following: a) economic activity b) that brings along personal data processing c) and which takes place in EU by means of Moldova company establishment in EU or d) by company that is established in Moldova,if processing is directed towards data subjects in EU. Next examples describe all possible situations on GDPR applicability.
Situation No.1- direct applicabilityCompany of Moldova - not established in EU
According to Article 3(2) an of GDPR, it directly applies to any company or other legal entity in Moldova where personal data processing activities of relevant company (or entity) in Moldova are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.
“Offering goods or services” is more than mere access to a website or email address, but might be evidenced by the use of language or currency generally used in one or more Member States with the possibility of ordering goods/services there. For example, web-based services aimed to data subjects of one or more EU member states, the sale of goods or services to EU market or offering public cloud services thus collecting personal data; social site or applications that process personal data from EU.
Situation No.2- direct applicability
Company of Moldova - not established in EU
According to Article 3(2)b of GDPR, it directly applies to any company or other legal entity in Moldova where personal data processing activities of relevant company (or entity) in Moldova are related to:
Personal data processing activities are related to the monitoring of data subject`s behavior as far as their behavior takes place within the EU.
For example, profiling of internet user in EU on the bases of user-related activities etc.
In the case of Situation No.1 and Situation No.2. - GDPR requires that controller or the processor (from Moldova) designates a representative by informing relevant supervisory authority in EU member state (unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body).
Situation No.3- direct applicabilityThe company in Moldova have a local establishment in EU and/or is related to it
If company registered of Moldova in EU member state has its daughter company, representative office or any other office that processes personal data within its economic activity in EU, then this office in EU will be treated as establishment in EU and then GDPR applies at least to this office in EU (if not all other offices or companies in Moldova[2] as one group of controllers in EU).
For clear decision concerning GDPR applicability to other offices in Moldova, you should evaluate whether your offices in EU processes personal data only concerning EU market, personal data are in no way transferred to Moldova or are not used for any purposes in Moldova. Otherwise, sanctions may be issued to the company in EU and amount of sanctions will be calculated taking into account your turnover in all around the world.
Situation No.4 – indirect applicability
The company in Moldova operates as a processor for any other company in EU
Personal data are transferred to Moldova company from some EU entity (it may be your own daughter company or any other partner in EU)(for example, with aim to make value-add processes of transferred personal data as a service, simply store these data for other company or, delivery other personal data processing related services to EU companies in capacity of processor.
In this situation, personal data are being processed by Moldova entity as a processor in terms of GDPR and some of GDPR requirements applies through Article 28 of GDPR and adequacy criteria in case personal data are transferred to third countries.
Situation No.5 – GDPR do not apply
The company is established in Moldova and processing relates only to the economic activity carried out in Moldova
The company in Moldova do not process and do not plan to process personal data in any way as reflected in Situations No.1 to No.4, then GDPR does not apply.
3. MAIN ASPECTS TO ACHIEVE GDPR CONFORMITY
Every company should organize self-evaluation in order to recognize the gap between current practice with personal data processing in private company in Moldova and GDPR requirements.
It is important for controllers and processors to undertake thorough reviews of their existing data policy cycle so as to clearly identify which data they hold, for what purpose and on what legal basis. They also need to assess the contracts in place, in particular, those between controllers and processors, the avenues for international transfers and the overall governance (what IT and organizational measures to have in place). An essential element in this process is to ensure that the highest level of management is involved in such reviews, provides its input and is regularly updated and consulted on changes to the business’s data policy.
To this end, some operators make recourse to compliance checklists (either internal or external), seek advice from consultancies and law firms and look for products that can deliver on the requirements of data protection by design and by default. It is suggested also in practice to take into account opinions of Directive 95/46/EC Article 29 data protection working party[3] concerning different issues of GDPR interpretation that will help achieve necessary implementation level.
Next chapters of this impact study will deal with recommendations shortly identifying the goal and subject matter of the relevant requirement of GDPR.
3.1. Purpose and legal grounds of processing
First of all, the companyneeds to define the purposeofthe personal data processing operation. The definitionof purpose will help to understand whether data processing is not excessive in terms of necessary data types, amount and storage periods.
If Your company collects, uses and personal data, company have to evaluate also whether there is any legal ground for each such processing operation. The companyhas to identify relevant legal ground of processing and ensure necessary requirements. For example, in cases of legitimate interests, the company have to define legitimate interest, evaluate necessity and proportionality of the processing.
Six legal grounds for personal data are defined in Article 6 of GDPR, namely: (a) data subject consent(b) performance of a contract with the data subject(c) compliance with a legal obligation imposed on the controller(d) protection of the vital interests of the data subject(e) performance of a task carried out in the public interestor(f) legitimate interests pursued by the controller,subject to an additional balancing test against the data subject’s rights and interests. Specific requirements on the processing of specific categories of personal data are provided in Article 9 of GDPR as far as in general processing of specific categories or personal data is prohibited.
Definition of legal grounds is important also in the light of data subject rights. For example, the satisfaction of certain rights of data subjects are more important, when personal data are processed on the bases of consent (right to be forgotten) and other, when personal data are processed on bases on legitimate interests (right to object). Knowledge on legal grounds gives to the controller possibility to provide precise information to data subject according to Article 13 and 15 of GDPR.
If company carry out decisions based solely on automated processing (including profiling) which produces legal effects concerning him or her or similarly significantly affects him, only three legal grounds are possible: a) data subject explicit consent b) it is necessary for entering into, or performance of, a contract between the data subject and a data controller and c) it is provided by law.
In order to understand purposes and legal grounds for personal data processing, the companyhas to audit existing practice, fix personal data categories or even types of personal data.
3.2. Privacy by design and by default
In Article 25 GDPR defines privacy by design and by default principle: taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Data protection by design is regarded as a multifaceted concept, involving various technological and organizational components, which implement privacy and data protection principles in systems and services.
GDPR addresses data protection by design as a legal obligation for data controllers and processors, making an explicit reference to data minimization and the possible use of pseudonymization. On top of this, it introduces the obligation of data protection by default, going a step further into stipulating the protection of personal data as a default property of systems and services.
It is recommended that company not only evaluates and implements privacy by design and by default principle in new data processing projects but also in existing information systems and services.
3.3.Information security
Organizing of company information systems and management of risks is a very important issue concerning the implementation of GDPR and protection of personal data. GDPR do not approve any standards or certain security requirements but contains principles of information security organization.
Article 32 of GDP provides: taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Controller or processor has to ensure the ongoing confidentiality, integrity, availability,and resilience of processing systems and services. To achieve that, it is necessary to evaluate the organization of information system hardware and software and risks that may occur. In case of a personal data breach, the controllerneeds to notify it to the supervisory institution. If GDPR isdirectly applicable, controller in Moldova needs to notify breach to the same supervisory institution where the representative was designated. If Your company acts in the capacity of the processor, breachhas to be notified directly to the controller.
Questions that may help to understand whether principle privacy by design and by default andinformation system security aspect in the company is settled.1. Have You company implemented data protection principles when data processing systems where introduced?
2. Have you carried out a written evaluation of information systems security and risks (audit) before or after (last 3 years period) development of your information systems?
3. Has your company introduced internal documents dealing with information systems security (based on risk evaluation)? (For example, information system security policy, risk evaluation methodology, information assets classification criteria, access rights granting rules, user rights and obligations, mobile devices,and internet policy, etc.).
4. Do you have any internal person who is responsible for implementation of information system security policy and means or responsible for personal data protection?
5. Do access to personal data of your employees is controlled by means of passwords and usernames?
If Your answer to any of these questions is “NO”, Your personal data processing organization may not correspond to GDPR requirements.
6. What other tools do you have for protection of physical information resources?
7. What are your personal data storage (retention) periods? Have you set up any terms for data storage, retention and deletion?
8. Have You implemented internal personal data breach registration procedure and notification procedure?
9. How you destroy your documents and other information readers?
If these issues are not settled by written procedures, Yourpersonal data processing organization does not correspond to GDPR requirements.
3.4. Data protection impact assessment
A data protection impact assessment (DPIA) is a tool that is designed to assess companies compliance with their data protection obligations and to identify any potential risks and mitigation strategies. A DPIA should ideally be completed at the design stage of a new system or program, and then revisited as program requirements and legal obligations change.