Personal data protection

December 2019
Personal data protection
legislation introduction

© 2019. For information, contact Deloitte Romania Data protection 2

 Personal
Data
Protection
Legislation

Moldavian Law related to personal data protection

EU Regulation 679 / 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data
Preface
Personal data protection legislation at a glimpse

Moldova is looking to comply with art. 13 from the

Association Agreement with the EU “the parties agree
to cooperate to ensure a high level of personal data
protection according to EU, EC and international tools
and legal standards”.

The Moldavian Law project related to the

protection of personal data aligns with the EU
Regulation GDPR and the EU Directive 680/2016
(concerned with the protection of individuals in
relation to the processing of personal data by the
Authorities for the prevention, discovery and
investigation of criminal offence).

GDPR is intended to standardize and harmonize

personal data protection regulations within the
European Union.

The incorporation of obligations for data controllers,
rights for data subjects and implementation of
security controls require companies to adapt and
review privacy policies and procedures currently in
place.
These data protection reforms will require
companies to implement a series of legal,
technical and organizational measures to adapt
to them which, in most cases, will mean they will
need to perform an in-depth analysis of data
protection procedures and possibly modify their
business models for that purpose.

© 2019. For information, contact Deloitte Romania Data protection 4

Main impacts
Increased penalties

01
133 / 2011
EUR 750
Very serious infringements
Provides a maxim of 300 contraventional
units (1 contraventional unit = 50 MDL)
= approx. 750 EUR (these sanctions are
not considered effective, proportionate
and dissuasive as compared with the
GDPR)
02
New law
Up to EUR 100,000 or up to 2% of the total
worldwide annual turnover
Penalties for non-compliance with, for example, the articles in
relation to:
 The basic principles for processing, including conditions for
consent
 The data subjects' rights
 Transfers of personal data to a recipient in a third country or an
international organization
 Any other obligations (i.e. not included in the personal data
protection law) pursuant to Moldavian law
 Orders by the supervisory authority

Up to EUR 52,000 or up to 1% of the total

worldwide annual turnover
 Penalties for non-compliance with, for example, the articles in
relation to:
 The obligations of the controller and the processor
 The obligations of the certification bodies
 Monitoring of approved codes of conduct

© 2019. For information, contact Deloitte Romania Data protection 5

Terms and definitions

© 2019. For information, contact Deloitte Romania Data protection 6

Define
What is personal data?
Definition Data which may be processed

 name and surname

 full name of family members
 address (home/residence)
 profession/job title
‘personal data’ means any
information relating to an  training/diplomas/studies
identified or identifiable natural  date and place of birth
person (‘data subject’); an  e-mail
identifiable natural person is one  data on owned assets
 image  family status
who can be identified, directly  pension file no.
or indirectly, in particular by  voice  military status
reference to an identifier such as a  telephone / fax
 citizenship  civil status data
name, an identification number,  nickname / alias
location data, an online identifier or  signature  bank data
to one or more factors specific to  geolocation data
 sex
the physical, physiological, genetic,  data from driver's license /
mental, economic, cultural or social certificate of registration
identity of that natural person
 physical / anthropometric data
 habits / preferences / behavior
 economic & financial situation

© 2019. For information, contact Deloitte Romania Data protection 7

Define
Types of personal data (1/2)

Special categories
Personal Data of Personal Data

Health
Ethnic data
origins Genetic
Special data
data
Pseudonimize categories of
d data Personal Data

Criminal
record
Political Sexual
Encrypted options orientation
data

Union
members
Religious
hip
and
philosophical Biometric
beliefs data

Anonymous
data
Aggregated
data
Company’
s data

© 2019. For information, contact Deloitte Romania Data protection 8

Define
Types of personal data (2/2)

What types of personal data do you process?

Name Race
Sub-bullet
Dash
Bullet

Sub-bullet
Dash
Bullet
Physical Genetic Political
Address
Traits Data Leanings

Normal Sensitive

Contact Trade
Hobbies Health
Details Union
Data
Member

Location Sexual
Data History

© 2019. For information, contact Deloitte Romania Data protection 9

Define
Processing

Processing: any operation performed upon personal data (collecting, recording, organization,
use, disclosure by transmission, alignment or combination, erasure or destruction)

Personal Data lifecycle

Retention &
Collection Storage Use Transfer
Disposal

• Collection • Organize • Consult • Transfer • Disposal

• Record • Store • Search • Distribution • Delete / Discard
• Process • Block
• Update
• Modify
• Combine
• Relation
• Align

© 2019. For information, contact Deloitte Romania Data protection 10

Define
Controller and Processor

Controller: person / individual or entity who determines the

purposes and means of processing

Processor: person / individual or entity who processes the

personal data on behalf of the controller

Personal data of:

• Employees

• Clients (natural persons)

• Other Banks’ / Business partners’ representatives

(natural persons)

© 2019. For information, contact Deloitte Romania Data protection 11

Main Concepts

© 2019. For information, contact Deloitte Romania Data protection 12

Concepts
Personal data protection snapshot for organizations

Organization – Daily activities Processing activities: activities involving personal data

Data security

Governance

© 2019. For information, contact Deloitte Romania Data protection 13

Concepts
GDPR articles

Principles
Data
Consent
transfers

Special
DPO
categories

PDPL
Data
DPIA subjects’
rights

Privacy by
Data
design &
breach
default

Data
Processors
security
RPA

© 2019. For information, contact Deloitte Romania Data protection 14

Concepts
Legal basis for processing
(a)
the data subject has given consent
to the processing of his or her
personal data for one or more
specific purposes;
(b)
processing is necessary for the
performance of a contract to
which the data subject is party or in
order to take steps at the request
of the data subject prior to entering
into a contract;
(c)
processing is necessary for
compliance with a legal obligation
to which the controller is subject;
© 2019. For information, contact Deloitte Romania
(d)
processing is necessary in order to
protect the vital interests of the
data subject or of another natural
person;
(e)
processing is necessary for the
performance of a task carried out in
the public interest or in the
exercise of official authority
vested in the controller;
(f)
processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by a third
party, except where such interests are
overridden by the interests or
fundamental rights and freedoms of
the data subject which require
protection of personal data, in
particular where the data subject is a
child.
Data protection 15
Concepts
Principles related to processing of personal data

Personal data shall be processed in

accordance with certain core lawfulness, data
fairness and accuracy
principles. transparency

storage
purpose
limitation
limitation

integrity and
confidentiality

data
minimization

© 2019. For information, contact Deloitte Romania Data protection 16

Concepts
Consent

Consent should not be

01 Fully informed – withdrawal + opt
out (not possible) used in cases such as:
• financial assessment
02 Actively granted
• fraud prevention
• AML procedures
03 Freely given
• financial models for
evaluation of losses
04 Call out the consent clearly and as a
stand alone provision – specific correspondent to
credits

05 Pre-ticked boxes are not allowed

Profiling - online behavioral advertising

06 - Full transparency (right to be informed)
- Right to object

© 2019. For information, contact Deloitte Romania Data protection 17

Concepts
Information

01 Identity and contact details (incl.

DPO)

02 Purpose(s) (incl. legitimate interest)

03 Recipients (incl. transfer)

04 Period for which data is stored (or

criteria used)

05 Rights (access, rectification, erasure,

restriction, object, portability)

Right to withdraw consent at any time

06 Right to lodge a complaint

Contractual requirement

© 2019. For information, contact Deloitte Romania Data protection 18

Concepts
Data subjects’ rights
Right to restriction

Right of access

Right to data
portability
Right to
rectification

Right to object

Right to erasure

Right not to be
subject to an
automated decision
© 2019. For information, contact Deloitte Romania Data protection 19
Records of Processing
Activities

© 2019. For information, contact Deloitte Romania Data protection 20

Records of processing activities (RPA)
Application and content
RPA Application
Organizations > 20 employees
Controllers or processors
engaging in processing activity
that:
Is not occasional
Includes special categories of
data and data relating to criminal
convictions and offences
Is likely to result in a risk to the
rights and freedoms of data
subjects
© 2019. For information, contact Deloitte Romania
RPA Content – 5 years retention time
The purpose for processing
A description of the categories of data subjects and of
the categories of personal data
IT systems involved in the processing
The categories of recipients to whom the personal data
have been or will be disclosed including recipients in third
countries or international organizations
The transfers of personal data to a third country or an
international organization, including the documentation of
suitable safeguards
Technical and organizational security measures
The envisaged time limits for erasure of the different
categories of data
Data protection 21
Security measures

© 2019. For information, contact Deloitte Romania Data protection 22

GDPR technical measures
Objectives

Integrity
Confidentiality

Availability

Encryption

Resilience
Pseudonimization

© 2019. For information, contact Deloitte Romania Data protection 23

Moldavian law project
Processing security measures

# Measure # Measure

1 Physical security – space where PD is Integrity in transfer: encryption and

processed (offices, data centers) 8
electronic signature
2 User identification and authentication – 9 Availability: backup and restore, DRP
user access management process
3 Procedures for user access provisioning – Confidentiality: access rights – need to
10
role matrix, activity logging and monitoring know

4 SW / HW change management process, Data classification – proper labeling of

11
application whitelisting personal data

5 Protection of storage devices – inventory of Enabling audit logs and store them for 5
12
assets, encryption, remote wipe years

6 AV protection 13 Security incident management

7 Intrusion prevention and detection tools Internal controls / internal audit for security
14
– on an annual basis

© 2019. For information, contact Deloitte Romania Data protection 24

Data breach

© 2019. For information, contact Deloitte Romania Data protection 25

Security measures
Personal data breach

• A type of security incident Requirements related to

• Breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data
transmitted, stored or otherwise processed
Integrity
breach
processing of personal data:
• Use appropriate technical and
organizational measures
• Process personal data to ensure
its appropriate security
Availability
breach • Protection against unauthorized
or unlawful processing
• Protection against accidental
loss, destruction or damage

Confidentiality
breach

© 2019. For information, contact Deloitte Romania Data protection 26

Data Breach
Notification and Communication

Data Protection Authority Individual (Data subject)

• 72 hours after having become aware • Without undue delay

• Risk to the rights and freedoms of natural • High risk to the rights and freedoms of
persons natural persons

Notification Communication

• Describe the nature of the personal data
breach, categories and approximate number
of data subjects and records
• Name and contact details of the DPO
• Describe likely consequences of breach
• Describe measures taken to address the
breach and mitigate adverse effects
• No notification: if personal data are already
publicly available (no confidentiality breach)
and no availability breach
• Describe the nature of the personal data
breach
• Name and contact details of the DPO
• Describe likely consequences of breach
• Describe measures taken to address the
breach and mitigate adverse effects
• Communicate to the affected data subjects
directly
−If disproportionate effort – public
communication

© 2019. For information, contact Deloitte Romania Data protection 27

Personal data breaches
Notifications to Data Processing Authorities

Data breach notifications

2500

2000
2000

1500

1000
626
500 398 380

33 100
0 0
0
Număr notificări
Romania Bulgaria Czech Slovakia
Lithuania Poland Hungary Croatia

© 2019. For information, contact Deloitte Romania Data protection 28

Personal data breaches
Causes and effects
Data theft: computers,
Unauthorised access to data portable storage
– hacking attacks devices

Database theft and data

encryption Unauthorised data
disclosure - employees

Copy of data
Technical issues with Data loss: document
information systems destruction due to
disasters
Physical documents loss
Data alteration / by employees
modification

Unsecure destruction of Data made public following

documents by the unauthorized third party
Controllers disclosure

© 2019. For information, contact Deloitte Romania Data protection 29

Thank you
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL” ), its network of
member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also
referred to as "Deloitte Global") does not provide services to clients. Please see www.deloitte.com/ro/about to learn more about our global
network of member firms.
Deloitte provides audit, consulting, legal, financial advisory, risk advisory, tax and related services to public and private clients spanning
multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in
more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients' most complex
business challenges. To learn more about how Deloitte's approximately 244,000 professionals make an impact that matters, please connect
with us on Facebook or LinkedIn.
Reff & Associates SCA is a law firm member of Bucharest Bar, independent in accordance with the Bar rules and represents Deloitte Legal in
Romania. Deloitte Legal means the legal practices of Deloitte Touche Tohmatsu Limited member firms or their affiliates that provide legal
services. Visit the global Deloitte Legal website http://www.deloitte.com/deloittelegal to see which services Deloitte Legal offers in a
particular country.
© 2019. For information, contact Deloitte Romania