Page 1

HGO296 / 2012
Unique Internal ID: 343273
Версия на русском

File of the legal act

Republic of Moldova
GOVERNMENT
DECISION No. 296
from 15.05.2012
on the approval of the Regulation of the Register of evidence
of personal data controllers
Published: 25.05.2012 in the Official Gazette no. 99-102 art Nr: 336
Pursuant to letter f) para. 1) art. 20 of Law no. 133 of July 8, 2011 on the protection of personal data (Official Gazette of the Republic of Moldova, 2011, no. 170-175, art. 492), the Government
DECIDES:
The Regulation of the Register of records of personal data operators is approved (attached).
THE PRIME MINISTER
Countersign:
Minister of Technology
information and communications

Vladimir FILAT

Pavel Filip

Nr. 296. Chisinau, May 15, 2012.

Approved
by Government Decision no. 296
of May 15, 2012

REGULATION
OF THE REGISTER OF OPERATORS
PERSONAL DATA
Chapter I
GENERAL DISPOSITIONS
1. The Regulation of the Register of evidence of personal data operators (hereinafter - Regulation) transposes art. 21 of Directive 95/46 EC of the European Parliament and of the Council
Decision of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, published in the Official Journal of the European Union
Of the European Communities (OJEC) no. L 281 of 23 November 1995 and is the instrument through which the National Center for the Protection of Personal Data (hereinafter
- Center) implements the policy of ensuring an adequate level of protection of personal data in the Republic of Moldova.
2. The Regulation establishes the procedures and the mechanism for registration and registration of operators, databases, information and IT systems in which they are stored and processed.
personal data, as well as ensuring the right to information of any person.
3. For the purposes of this Regulation, the following concepts shall be used:
1) personal data record system - any structured series of personal data accessible according to specific criteria, whether it is centralized, decentralized or
distributed according to functional or geographical criteria. As a system for recording personal data, it is included but not limited to, databases, systems
information and informatics in which personal data are stored and processed automatically or manually;
2) notification (information statement) - standardized form, completed and submitted on the operator's own responsibility, in order to register, modify or delete the information objects in
Register;
3) One-stop shop of the National Center for Personal Data Protection (hereinafter - One-stop shop) - single point of reception and mechanism that ensures the addressing of operators
at the Center, in order to notify in order to register the personal data recording systems, the coordination with the public authorities that are holders of the necessary information and data
for registration;
4) official of the One - Stop Shop - employee of the Center who exercises the functions provided by the present Regulation.
4. This Regulation establishes a single procedure for the receipt of notifications from registrants by their personal address or by correspondence at the One-Stop Shop.
Center or online presentation of the notification and documents attached to the electronic format authenticated by the digital signature, submitted through the public interface of the official website of the
Center in the Internet.
5. The registration of operators and personal data recording systems, the modification and deletion of the entries in the Register is free of charge.
6. The standard form of the notification (information declaration) shall be drawn up and approved by the Center.
Chapter II
KEEPING THE REGISTER
7. The register of records of personal data operators (hereinafter - the Register) is kept in electronic form, in the state language, which is a set of objects
information, using the automated information system, in the manner and under the conditions provided by law.
8. The subjects of the legal relations that appeared as a result of the establishment of the Register are:
1) the state, as owner of the Register;
2) The Center, as owner, holder and registrar of the Register;
3) the operators or the persons empowered by them as providers of the data that are stored in the Register;
4) the holders of the evidence systems in which information and data necessary for verifying the authenticity of the documents / documents / information presented by the applicants for registration in
quality of information providers;
5) the natural or legal person mandated with the right to receive the data from the Register, according to the law.
9. The Registrars and the person empowered to exercise internal control over the keeping of the Register shall be appointed by the management of the Center.
10. The information objects of the Register are:
1) name, surname / surname and domicile / headquarters in the Republic of Moldova of the operator and / or of the person authorized by him, IDNO / IDNP code;
2) the stated purpose of the processing of personal data;
3) description of the category (ies) of the subjects of personal data, description of the category / s of the data to be processed, as well as of the sources of origin of these data;
4) information on the existence of the consent of the subjects of personal data regarding the processing of these data;
5) the way in which the subjects of personal data are informed about their rights; where applicable, the estimated date for completion of the processing operations, as well as the subsequent destination
of personal data processed;
6) the exhaustive list of the recipients to whom the personal data are intended to be disclosed by transmission, dissemination or in any other way;
7) guarantees regarding the transmission of personal data to third parties;
8) proposals regarding cross-border transfers of personal data that are intended to be made;
9) the categories of data that will be subject to cross-border transfer;
10) the state of destination for each category of data that will be subject to cross-border transfer;
11) the persons responsible for the processing of personal data;
12) specification of the personal data recording systems, as well as of the possible links with other data processing or with other personal data recording systems,
regardless of whether they are performed or not, respectively whether or not they are located on the territory of the Republic of Moldova;
13) the reasons that justify the application of the provisions of art. 10 and par. (3) art.12 of Law no. 133 of July 8, 2011 on the protection of personal data, if the data processing
it is done exclusively for journalistic, artistic or literary purposes or for statistical, historical or scientific research purposes;
14) general description of the measures taken to ensure the security of the processing of personal data.
11. The following actions will be reflected in the Register:
1) registration of operators and personal data recording systems;
2) modification of the registration of operators and personal data recording systems;
3) deletion of the registration of operators and personal data recording systems.
12. The information stored in the Register, except for those assigned by law to the category of those with limited accessibility, regulated by the legislation in force, shall be made public by
through the official website of the Center in the Internet, within no more than 3 days from the date of adoption of the decision of registration, modification or deletion.
13. The documents based on which the entries in the Register are made are presented in electronic format in compliance with the requirements for the electronic document, provided by Law no. 264-XV of 15
July 2004 on electronic document and digital signature.
14. If the documents are not signed with a digital signature, they shall be submitted in electronic format, with the attachment on paper, signed in handwriting and, where appropriate, confirmed with
stamp of the applicant for registration as a legal entity. If the information presented on paper is contained on several sheets, they will be sewn with the application, on each, of
the signature and, where applicable, the stamp of the applicant for that registration.
15. The registrar is entitled to:
1) to request additional information regarding the information objects that are being registered, if there are doubts regarding the authenticity and completeness of the presented data;
2) to make entries in the Register or the deletion from it based on the information obtained by connecting to the state information resources.
16. The holders of the evidence systems in which data necessary for the authenticity of the documents / documents / information presented by the registrants are stored are obliged to
present, within 10 working days and in full volume, the information requested by the registrar.
17. The registrar is obliged:
1) to enter only truthful information based on the data presented by the information provider;
2) not to admit the modification, destruction and / or illegal use of the data from the Register;
3) to respond, within 15 days, to the requests of the entities that have the legal right to request the information assigned to the category of the one with limited accessibility. In case of detection
untrue information submitted and stored in the Register, the information will be updated, and within 15 days, these entities will be informed of the adjustments made.
18. The Center refuses to register operators and personal data recording systems, with the issuance of the appropriate decision in this regard, in cases where:
1) the documents annexed to the notification contain untrue information;
2) the notification has been completed by the applicant for registration in accordance with the model approved and made available by the Center and / or not all the confirmatory documents of the
information required to be entered in the Register in accordance with this Regulation, provided that the operator has not complied with the requirements to take measures to remove
these deficiencies within the time limit set by the registrar;
3) the organizational and technical measures necessary for the protection of personal data do not correspond to the provisions of the requirements for ensuring the security of personal data at
their processing within the personal data information systems.
Chapter III
ORGANIZATION OF THE ACTIVITY OF THE SINGLE COUNTER
19. The activity of the One-Stop Shop is organized and provided by the Evidence and Control Department of the Center.
20. The notifications of the registrants, accompanied by the confirmatory documents, necessary for the registration and updating of the informational objects of the Register, are submitted at the Counter
unique.
21. Each system for recording personal data shall be notified separately.
22. The official of the One-Stop Shop verifies the correctness of completing the notification and the veracity of the documents presented.
23. The notification is not accepted for examination and is returned if it is not signed, or is signed by a person not authorized by this right.
24. In case of acceptance of the notification, the registrant is informed about the examination deadline, as well as about the notification method regarding the examination result and the issued decision.
Chapter IV
ADMINISTRATIVE PROCEDURES
Section 1
Notification registration
25. The possibility of completing the notification in electronic format is provided on the Centre's official website on the Internet.
26. After completing the notification in electronic format, it may be signed by applying the digital signature or printed on paper, signed in handwriting by the registrant and
sent / presented at the One-Stop Shop, in the manner established by this Regulation.
27. Upon receipt of the digitally signed notification corresponding to the requirements for the electronic document, the information system will send to the contact e-mail address indicated by
the registrant, a message confirming the receipt of the notification form.
28. Upon receipt of the notification regarding the personal data processing operations which, by virtue of the law, requires prior verification, the official of the One-Stop Shop shall inform
the applicant for registration on the deadline and the list of documents to be submitted to the Center in order to ensure the pre-verification procedures.
29. The Center shall examine the notification and issue, within no more than 30 calendar days from the date of its submission, or from the date of the adoption of the decision authorizing the processing operations.
of personal data, provided by art. 24 para. (2) of Law no. 133 of 8 July 2011 on the protection of personal data, a decision on registration or refusal of registration
the operator and / or the personal data record system.
30. The results of the examination of the notification shall be notified to the applicant for registration, within 3 days from the adoption of the decision.
31. The decision on the refusal of registration can be challenged in the administrative court. The term for contesting the decision to refuse registration runs from the date of receipt of the information
presented by the Center or its first download, fact registered by the automated system and presented in the form of an alert in the operator's profile.
32. Refusal of registration shall not prevent the registrant from repeatedly submitting the notification after removal of the grounds which served as the basis for issuing the refusal decision.
33. Upon primary notification, each controller and / or personal data record system shall receive a registration number which remains unchanged until its deletion from
Register, and may not be assigned to another operator or personal data record system.
34. The registration number is a 10-digit identifier consisting of the operator's identifier and the serial number of the personal data record system,
by model:
XXXXXXX-YYY
so:
XXXXXXX - the operator identifier;
YYY - the identifier of the personal data record system.
35. Next, all the documents by which the personal data are processed are marked, indicating only the identifier of the operator.
36. The Center keeps records of operators and personal data records in electronic format, in which all documents / files submitted in
in connection with the registration / modification / deletion of entries in / from the Register.
37. The manner of keeping and keeping records is established by the Center in accordance with the legislation in force.
Section 2
Prior check
38. The categories of personal data processing operations subject to cross-border transmission, as well as the categories of data processing operations, shall be subject to prior verification.
processing of personal data that present special risks for the rights and freedoms of persons specified in art. 24 para. (2) of Law no. 133 of July 8, 2011 on protection
personal data.
39. The prior verification shall be carried out on the basis of the information provided in the notification submitted by the registrant. The Center may request other information that includes, but is not
limits to the origin of personal data, the automated processing technology used, security measures for the processing of personal data.
40. As a result of the prior verification carried out, the Center shall take the decision on the authorization or refusal of the authorization of the processing of personal data.
41. The decision on the refusal to authorize the processing of personal data must contain the reasons justifying the refusal and, where appropriate, the procedure for removing the personal data.
circumstances that prevent the processing of those data.
42. The refusal to authorize the processing of personal data does not exclude the possibility for the operator to repeatedly notify the Center after the removal of the circumstances.
which prevented the processing of that data.
43. Information on the decision issued shall be sent to the registrant.
44. The electronic format of the decision will be signed with a digital signature, and can be downloaded by the operator or the person empowered by him to access the profile created by
via the Centre's official website on the Internet.
45. The decision issued can be challenged in the administrative contentious court.
46. ​The time limit for challenging the decision issued runs from the date of receipt of the information submitted by the Center or its first download, a fact recorded by the system and presented in the form of an alert in
the profile of the personal data controller.
Section 3
Modification of entries in the Register
47. For the introduction of amendments, applicants for registration shall submit a notification, the model of which shall be approved by the Center. Notification concerning the modification of the information registered in
Register shall be submitted specifying the registration number of the operator and the personal data recording system concerned in compliance with the conditions for submission and processing of
notification referred to in Chapter IV, Section 1 of this Regulation.
48. Any modification of the respective information will be communicated to the Center within 5 days.
49. In case the modification decision is issued, the automated system will insert the corresponding modifications in the Register.
Section 4
Deletion of entries in the Register
50. Deletion of the registration from the Register is made in case:
1) the submission of a notification to this effect by the registrant;
2) the issuance by the Center of a decision to stop the processing of personal data carried out in violation of the provisions of the law, at the expiration of the legal term for contesting it.
51. The notification aimed at deleting the information registered in the Register shall be submitted by the registrant with the specification of the registration number of the operator and / or the registration system.
record of the personal data concerned, in compliance with the conditions for submission and processing of the notification indicated in Chapter IV, Section 1 of this Regulation.
52. The decision to delete shall be based on conclusive evidence concerning the destruction or transmission of personal data processed to another controller, in accordance with the provisions of
and the rights of the data subject.
53. In case the issuance of the deregistration decision is issued, the automated system will make the respective entries in the Register.
54. The deletion of information from the Register, at the initiative of the operator or the person empowered by it, may be refused if:
1) the documents attached to the notification contain untrue information and the registrant did not comply with the Centre's requirements to take measures to remove them
deficiencies within the set deadline;
2) the fact of destruction of personal data has not been confirmed;
3) the fact of transmitting personal data to another operator has not been confirmed;
4) the transmission of personal data to another operator was carried out in violation of the provisions of the legislation on personal data protection.
55. In the cases provided for in point 54 of this Regulation, the Center shall take the decision on the refusal to delete the information from the Register.
56. The decision to refuse the deregistration shall not prevent the registrant from repeatedly submitting the deregistration notice, provided that the grounds which served as the basis for issuing the decision have been removed.
of refusal.
57. The operator and / or the system for recording personal data shall be considered deleted from the Register from the moment the decision to delete it is adopted.
Section 5
Extract from the Registry
58. Upon request, the Center may issue extracts from the Register. The extract from the Register shall be submitted, on the basis of an application signed within 15 working days, in compliance with the legislation on
protection of personal data and access to information.
59. The refusal to issue the extract from the Register may be challenged in the administrative contentious court.
Section 6
Access to public information stored in the Register
60. The data stored in the Register, except for detailed information on security measures and ensuring the confidentiality of personal data, shall be accessible to any person in the
in accordance with the provisions of the legislation on access to information and on the protection of personal data.
61. Access to public information stored in the Register shall be made through the Centre's official website in the Internet.
Chapter V
PRESERVATION AND RESTORATION OF RECORDS
FROM THE REGISTER. CONTROL AND RESPONSIBILITY
62. The evidence and control department of the Center ensures the observance of the terms for examination and settlement of the notifications of the applicants for registration, processing and transmission of information in
the term provided by the present Regulation, as well as the protection of the personal data become known in the process of the activity.
63. After the registration of the information in the Register or at the expiration of the terms established for the registration, the documents and files in electronic format, which served as the basis
for the registration of the notification, it is kept in the archive of the Center, in the manner and terms established by the legislation.
64. In case of loss, destruction or damage of data stored in the Register, the holder of the Register shall restore them within 60 calendar days.
65. The entries in the Register may be reinstated, in whole or in part, on the basis of the documents and backups of the electronic files which formed the basis for the entries,
extracts from the Register, and if the respective documents have not been kept - based on their copies, authenticated in the established manner, as well as based on other sources of information.
66. The restoration of the records stored in the Register shall be carried out under the supervision of the person exercising internal control over its keeping.
67. The keeping of the Register is subject to internal and external control, in accordance with the provisions of art. 31 of Law no. 71-XVI of March 22, 2007 regarding the registers. Internal control is performed
by the person designated under the law. Persons empowered to keep the Register and keep records of operators or data systems of character
are obliged to prevent unsanctioned access to the data stored in the Register and / or in the records of the operators or systems of record of personal data, to
take action to prevent the admission of cases of illegal use, illegal disclosure of information contained therein, modification or destruction of such data.
68. The persons empowered to keep the Register are obliged not to disclose the information with limited accessibility to which they have received access in connection with the exercise of their functional attributions,
including after the cessation of the activity within the Center. For violating the confidentiality clause, the guilty persons are liable in accordance with civil, contravention or criminal law.

