Selgitustaotlus

Dear Colleagues,

The National Center for Personal Data Protection (NCPDP) highly appreciates your institution’s openness as demonstrated through the exchange of information regarding the application of laws, regulations, standards, and national best practices in the field of personal data protection.

1.     Is there, in your country, a regulated period for retaining information on user actions within information systems (log files)? The question arises in cases where a data subject addresses the controller in exercising the right of access to personal data, particularly when such information systems are accessed by external users who request information about the access to their personal data. Previously, in the Republic of Moldova, a Government Decision (recently repealed) provided that the duration of storage of security audit results in personal data information systems must be justified in the personal data security policy, but in any case shall not be less than 2 years, in order to allow their use as evidence in the event of security incidents, potential investigations, or judicial proceedings. Therefore, it is currently unclear for what period a data controller is obliged to provide information about user actions related to the personal data of a data subject, and how long such records must be retained.
For instance, data from the State Population Register of the Republic of Moldova are stored indefinitely, and many controllers have access to them through the interoperability platform. In such circumstances, for how long must the holder of the Register retain the access audit logs, and for what minimum period is it obliged to provide a data subject with information about accesses to his or her personal data?

2.     In your country, does the Data Protection Authority have the right, during control or investigative procedures, to access criminal case files?
According to the criminal legislation of the Republic of Moldova, any interference, in any form, in the activity of the criminal investigation bodies is prohibited. Thus, in situations where a data subject submits a complaint regarding the unlawful processing of his or her data, or of other persons’ data, in the context of a criminal case (for example, the inclusion of copies of identity cards of persons unrelated to the case), does the Data Protection Authority examine such a file independently, with the support of the prosecutor managing the case, or is the verification carried out exclusively by the prosecutor?

If there is an officially published version of the relevant legal acts, we kindly ask you to attach it in electronic format or to indicate the corresponding link.

3.     Recently, the NCPDP has frequently encountered situations where, during the examination of complaints, video surveillance system operators do not cooperate with the Data Protection Authority, or declare that the camera in question was non-functional. Consequently, it becomes difficult or impossible to establish whether personal data are being processed through the respective video device.
Therefore, we kindly ask you to inform us how your institution proceeds in such cases, and what technical or administrative means you use in this regard.

In this context, we would also appreciate information on whether your Authority has issued any regulatory acts concerning personal data protection through video surveillance systems, which could serve as guidance for data controllers, and whether these could be shared with the NCPDP for consultation.

We thank you for your cooperation, and for the attention and time dedicated to examining this request. Given the sensitive nature of these issues, as well as the urgent need for the NCPDP’s intervention in ongoing cases, we would highly appreciate receiving your reply within a short timeframe.