Page 1

NATIONAL CENTER FOR DATA PROTECTION
WITH PERSONAL CHARACTER OF THE REPUBLIC OF MOLDOVA
MD-2004, mun. Chisinau, str. Serghei Lazo, 48, tel: (+ 373-22) 820801, 811807 fax: 820807, www.datepersonale.md

ORDER no. 03/1
"28" February 2013

mun. Chisinau

Regarding the approval of the Instructions
on the processing of character data
personally in the electoral process
In accordance with Art. 20 para (1) lit. c) of Law no. 133 of 8 July
2011 on the protection of personal data, Chapter II, point 3 letter e
Regulation of the National Center for Personal Data Protection,
approved by Law no. 182-XVI of July 10, 2008,

2

) al

ORDER:
1. The Instructions on the processing of personal data are approved in
the electoral process (attached).
2. It is recommended to the entities involved in the electoral process to adapt the procedures
internal processing of personal data in accordance with the principles established by
Instructions for processing personal data in the process
electoral.
3. The Legal and Public Relations Department, jointly with the Records and Control Department,
will ensure the placement of the Instructions on the processing of character data
personally in the electoral process on the official website of the National Center for
Personal Data Protection ( www.datepersonale.md ).

Vitalie PANIŞ
Director

Page 2

Annex to Order no. 03/1 of 28
February 2013

Instructions on the processing of personal data in
the electoral process
The present instructions are elaborated in accordance with the provisions of art. 20 para.
(1) lit. c) of Law no. 133 of July 8, 2011 on the protection of personal data
in order to bring the processing of personal data into
in accordance with the principles of personal data protection within
exercise of a fundamental right - the right to vote, without reaching the sphere of
competence of the Central Electoral Commission, established by the Electoral Code of
Republic of Moldova.
Taking into account the fact that in addition to the need to ensure the right to vote, the State has
the positive obligation to respect and protect intimate, family and private life;
of the findings made by the National Center for Character Data Protection
Staff of the Republic of Moldova (Center) in the process of examining several complaints with
reference to violations by some electoral contestants of the right to privacy in
the period of conducting the electoral campaigns from 2009-2011;
of the still insufficient level of personal data protection found in
within the controls performed at some town halls;
the fact that the Central Electoral Commission is the competent authority
to establish the manner and means of processing personal data in
the electoral process, the other entities within the electoral bodies are to
process this data on the basis of instructions specifically received from this authority, have
these Instructions have been developed, which may serve as guidelines for
The Central Electoral Commission and other entities involved in the electoral process, bringing
processing of personal data in accordance with the principles established in the Law
on the protection of personal data and good practices in the field;
of the provisions of the Resolution of Montreux (Swiss Confederation) on
use of personal data for political purposes, adopted on 14-15 September
2005 by the Conference of Data Protection Commissioners ruling, among
others, that:
- in political life a large amount of personal data are collected in
continuously by political organizations and are sometimes processed in ways
aggressive, using various techniques, including surveys, collecting email addresses through
software / search engines, widespread agitation through the locality or forms of political decisions
through interactive television, voter isolation files; where these data sometimes include
illegal (in addition to postal addresses, telephone numbers, e - mail accounts, information
on professional activities and family relationships) sensitive data on
real or presumed moral or political beliefs or activities, or the activities of
voting;

Page 3

- there is a tendency to create invasive profiles of different people who
moment are classified - sometimes inaccurately or based on superficial contact - as
supporters, supporters, adherents or party members, to enhance communication
personalized to groups of citizens;
- people must be protected from adverse effects and possible discrimination
in their personal sphere, as well as their renunciation of some forms of participation
politics;
any political communication activity, including that which does not relate to
election campaigns, which involve the processing of personal data, must
respect the fundamental rights and freedoms of interested parties, including the right to
protection of personal data, and must comply with the principles of
protection of the claimed data, issue these Instructions.
The instructions are to be applied in conjunction with the provisions of the Property Code
electoral practices. Guidelines (Venice, 18-19 October 2002) al
European Commission for Democracy through Law (Venice Commission), Code
Electoral Law, Personal Data Protection Act, Requirements for
ensuring the security of personal data when processing them within
personal data information systems, approved by the Decision
Government no. 1123 of 14 December 2010 (Requirements), Regulation of the Register of
records of personal data operators, approved by Government Decision
no. 296 of May 15, 2012, which creates the necessary regulatory framework for insurance
the right to privacy of the voter, as well as with the Regulation on
the activity of the Central Electoral Commission, approved by the Commission Decision no. 137 of 14
February 2006 with subsequent amendments and completions.
I. Notions used in the text:
- personal data - any information relating to a natural person
identified or identifiable (subject of personal data). The person
identifiable is the person who can be identified, directly or indirectly, by reference to
an identification number or one or more elements specific to his identity
physical, physiological, mental, economic, cultural or social. For example , information
recorded in the electoral lists: name and surname, year of birth, domicile, series and
the number of the voters' identity card - represents personal data
relating to an identified natural person. Also, in the process of voting,
other personal data are collected from the natural person, such as: signature
applied by it upon receipt of the ballot paper; place of birth and number
state identification (IDNP) of voters registered in the additional electoral lists, etc.
- special categories of personal data - data revealing the origin
racial or ethnic identity of the person, his or her political, religious or philosophical beliefs,
social affiliation, data on health or sexual life, as well as those
regarding criminal convictions, coercive procedural measures or sanctions
contraventions. For example , the stamp with the statement confirming voting on the day
respectively, applied in the form accompanying the identity card or in the act in which

Page 4

base votes the person, represents the special category of personal data in
on the grounds that in certain situations, such as the 2010 referendum held in
The Republic of Moldova can quickly appreciate the political sympathies of
his. Also, information about people in hospitals, asylums
for the elderly or detained on the basis of an arrest warrant until the sentence is pronounced
regarding persons sentenced to imprisonment whose sentence is not
final, to those who execute a contravention sanction in the form of arrest, to
persons sentenced to imprisonment by final judgment, in
penitentiary institutions also represent special categories of character data
personal.
- processing of personal data - any operation or series of
operations performed on personal data by means
automated or non-automated, such as: collection, registration, organization,
storage, preservation, restoration, adaptation or modification, extraction, consultation,
use, disclosure by transmission, dissemination or in any other way, joining or
combining, blocking, deleting or destroying. For example, the preparation by
mayors or diplomatic missions of the electoral lists, verification of voters registered in
they, specifying, every year (after January 1) the electoral lists, keeping and
their disclosure by transmission to the Central Electoral Commission, represents
personal data processing operations.
operator - natural or legal person under public or private law,
including the public authority, any other institution or organization that, individually
or together with others, sets out the purposes and means of data processing with
personal data expressly provided for by the legislation in force. E.g,
town halls or diplomatic missions are set up as data operators with
personal in relation to the data included in the electoral lists drawn up, verified and
specified, which they store and keep for a certain period of time; the desk
of the polling station is constituted as the operator of the data of character
personally recorded in the electoral rolls kept or modified as a result of the examination
requests in connection with the inaccuracies in the electoral lists, of the electoral lists
additional data that you have drawn up, but also of the personal data collected in
the process of examining the requests regarding the inaccuracies in the electoral lists, regarding
requesting certificates for the right to vote to voters who will not be at home
on election day, as well as other requests for organization and conduct
elections. The Central Electoral Commission is constituted as the recipient of the lists
sent by the mayors and, at the same time, when they organize them after
certain functional criteria, modify them, combine them in some way or decide on
the purpose of the data included in these electoral lists - is constituted as an operator
personal data. Also, the Central Electoral Commission is set up in
as an operator of personal data processed or to be processed in
Register of electoral officials, State Register of voters, etc.
person authorized by the operator - natural person or legal person
public or private law, including the public authority and its subdivisions

Page 5

processing personal data in the name and on behalf of
operator, based on instructions received from the operator. For example , the Center for
Continuing education in the electoral field is a person empowered by the Commission
Central Electoral Commission, because it processes personal data concerning
electoral officials within their specialized training, according to
Regulation approved by the decision of the Central Electoral Commission.
addressee - any natural or legal person governed by public law or by
private law, including the public authority and its territorial subdivisions, to which they belong
disclosed personal data, whether or not it is a third party. For example ,
The Central Electoral Commission is constituted as the recipient of the electoral lists
sent by town halls or diplomatic missions. The organs are not considered recipients
in the field of national defense, state security and public order, the bodies of
criminal prosecution and the courts to which data of a character are communicated
personally within the exercise of the powers established by law.
personal data record system - any structured series of data
personal data accessible according to specific criteria, whether it is centralized,
decentralized or distributed according to functional or geographical criteria. As
system of evidence of personal data is included but not
limits to the databases, information and computer systems in which they are stored
and processed automatically or manually personal data. For example , models
Classical systems for recording personal data are: Register
electoral officials or the State Register of Voters. Electoral lists drawn up
and stored on paper or electronically, also represents a system of
record of personal data. Likewise, other structured series of character data
personally, such as: video images collected through an installed surveillance system
inside or on the perimeter of the polling stations, which are kept for a certain period of
time; personalized information on the specialized training of officials
or other subjects involved in the electoral process, etc .;
depersonalization of data - modification of personal data so that
details of personal or material circumstances no longer allow for assignment
to an identified or identifiable natural person or to allow the assignment only
in the conditions of an investigation that requires disproportionate expenditure of time, means
and labor.

II. Organizational and technical procedures required to be followed
1. It is recommended that the entities involved in the electoral process be
assigned, depending on the role they have, the quality of operator, person
empowered by the operator or consignee, in accordance with the notions established by art. 3 al
Law on the protection of personal data. This will allow clear delimitation
competences and the appropriate distribution of rights and obligations within the framework
personal data processing operations.

Page 6

2. All officials and persons involved in the electoral process who have access
to personal data, including the employees of the Central Electoral Commission, follows a
be subject to a confidentiality statement which, where appropriate, may be included in
employment contracts, having the quality of a contractual clause, or in the job descriptions, with
the mention about the civil, contraventional or criminal liability for the violation
its.
3. The personal data processed in the electoral process must be
accurate and, if necessary, up to date. It is recommended that you update your data with
personal data to be performed by the person responsible for processing the data
with personal character for electoral purposes, designated by administrative act, decision, a
the mayor, the commanders of the military unit, the leaders of the medical institutions,
sanatoriums, rest homes, diplomatic offices and consular offices of the Republic
Moldova, electoral bodies, as appropriate. The administrative act is to contain the clause
of confidentiality of personal data in accordance with the provisions of art. 29
of the Law on the protection of personal data, as well as information on
liability for its violation, in accordance with the provisions of art. 33 al
the same legislative act.
4. The responsible person is to carry out the processing operations of
personal data concerning citizens with the right to vote, as the case may be, domiciled on
the territory of the administrative-territorial unit, of the military units, located in the institutions
medical, sanatoriums, nursing homes, as well as voting citizens who are there
on the territory of other states, in accordance with the provisions of art. 39 Electoral Code. At the same time, in
the process of updating personal data, the exact character is to be ensured
of them, being recommended the method of on-site verification, but also the processing
personal data stored in character data information systems
personnel managed by the local public authority, the military unit, the curative institutions,
sanatorium, medical and / or those assigned to main state information resources, at
which the responsible person has the right of access as an authorized user
of them.
5. The use of personal data recording systems for the purpose
the preparation of subscription lists is to be prohibited.
6. The operators of personal data in the electoral process follow, in
cooperation with the National Center for Personal Data Protection to
develop and implement a personal data security policy in
in accordance with the provisions of the Requirements, which would cover issues including:
procedures and measures related to the implementation of the security policy, with the application of solutions
practices with a proportionate level of detail and complexity; identification and
authentication of invested users with the right to access information systems
personal data processed in the electoral process; ways of reacting to
security incidents; protection of information and communication technology; of
ensuring the integrity of information containing personal data and technology
informational; managing access to processed personal data; of
information systems auditing and tracking personal data, etc .

Page 7

7. The security policy is to contain regulations that would ensure
protection of personal data processed in the record systems in
the electoral process, in particular by the following methods:
1) preventing unauthorized connections to communication networks and
interception by means of technical means of personal data transmitted by
these networks, especially in the process of disclosing the transmission of electoral lists between
the competent entities with different competencies in the electoral process;
2) exclusion of unauthorized access to personal data processed in
within the records systems by the method of implementing the identification procedures and
user authentication; by allocating obligations and investing with a minimum of
rights and competencies of those involved in the management of systems
record of personal data; by ensuring the integrity of resources
information (data and programs);
3) prevention of special technical and program actions that
conditions the destruction, modification of personal data or malfunctions in
the work of the technical and program complex, of the software intended for data processing with
personal, by the method of using special technical means of protection and
program, including licensed programs, antivirus programs, system organization
software security control and periodic backups;
4) prevention of intentional and / or unintentional actions of users
internal and / or external, as well as other employees, which condition the destruction,
modification of personal data processed in the record systems or
defects in the work of the technical and program complex;
5) preventing the leakage of information containing character data
personally, transmitted through the link channels, by using encryption methods
(encryption) of this information;
6) establishing the exact order and procedures for accessing the information it contains
personal data, processed in the information and record systems,
for both internal and external users.
8. In case of disclosure by transmission of the electronic data format with
personal data, contained in the electoral rolls, supplementary electoral rolls, mailing lists
subscription or in other documents, through communication networks or on another medium
electronic (digital) storage, this information will be encrypted or will be
examine the possibility of using a bilateral connection through a secure VPN channel.
Wireless access to personal data information systems is to be
allowed and authorized only in the case of the use of cryptographic means of protection of
information. Each case of requesting the transmission of personal data by road
will be examined separately, based on the technical possibilities of the recipient and
operator, as well as in accordance with the organizational and technical measures
implemented by the parties. If communication networks pose risks to
confidentiality and security of personal data, methods will be used

Page 8

traditional means of transmission (postal delivery by registered mail, personal delivery,
etc.)
9. Transmission of personal data through non-communication networks
correspond to the Requirements, (for example: sending information by e-mail
personal messages such as @ gmail.com, @ mail.ru, @ yahoo.com, etc.) are to be
forbidden.
10. The procedure for transmitting personal data stored on a medium
paper, including in the case of polling stations established abroad of the Republic of Moldova,
are to be regulated by institutional normative act, taking into account
the need to ensure an adequate level of security, including the use of channels
diplomatic.
11. The procedure for drawing up, verifying and updating the electoral lists, by
receipt and transmission of lists to and from polling stations; of inclusion / exclusion from
lists of voters by members of the polling station; presentation
subsequent final electoral lists; keeping electoral lists and other issues
necessary for the processing of personal data, to be developed
and approved by the Central Electoral Commission in cooperation with the National Center for
Protection of Personal Data, in accordance with the principles provided by
legislation on the protection of personal data.
12. The Central Electoral Commission shall regulate in particular the procedure of
access of accredited observers to electoral information and lists
including the procedure and the limits within which they can make photo and video footage,
taking into account not only the need to ensure the secrecy and security of voting, but also a
the principles of confidentiality and security of the processing of personal data,
provided by art.29 and 30 of the Law on personal data protection.
III. State register of voters
13. The existence of an updated electoral register is essential for the guarantee
universal suffrage, to secure the electoral process, as well as to ensure
updating and accuracy of personal data processed for electoral purposes.
However, although at the moment there is the Concept of the State Automated Information System
"Elections", approved by Law no. 101-XVI of May 15, 2008, before putting in
operation of the Automated Information System for maintaining the state register, will
it will be necessary to approve the Regulation on how to keep it
register.
14. It is recommended that in drafting the Regulation they be taken into account
consideration of the principles established by the Law on the protection of personal data
and Requirements for ensuring the security of personal data when processing
in personal data information systems, including through
the concrete regulation of the rights and obligations of the public administration authorities
central and local authorities in the process of providing the personal data necessary for the youth
register etc. Particular attention should be paid to issues related to:
a) ensuring the conditions for the realization of the constitutional right by the citizen
by secret ballot, to completely exclude any technical possibility, even

Page 9

imaginary, of the administrators of the Automated Records System, or of another person,
to have access to information on the option expressed by the voter in the voting process
through the electronic system.
b) the technical procedures that would ensure the automatic interruption, after the performance
voting, the link between the voter's personal data and the check mark passed by him
for a concrete candidate in the electronic ballot paper, as well as the impossibility
absolute need to re-establish this link;
c) technical procedures that would ensure the impossibility of monitoring by the party
the administrators of the Automated Records System, or of another person, of the option
expressed by the voter in the period following his ticking a
the corresponding compartment in the electronic ballot paper and the final confirmation of
this option, which is measurable over time.
15. To be prohibited c reating of data filing systems
personal data collected for electoral purposes, except in the cases expressly provided by
Electoral code.
IV. The rights of personal data subjects
16. If personal data are collected directly from
the subject of this data, to him, on request, the following are to be provided
information, unless he already has that information:
1) regarding the identity of the operator or, as the case may be, of the person empowered by
to the operator (name, legal address, IDNO, registration number in
Register of personal data operators);
2) regarding the concrete purpose of processing the collected data;
3) regarding the recipients or the categories of recipients of the character data
personal; the existence of the rights to information and access to the data collected; intervention
on data (in particular to rectify, update, block or delete character data
personnel whose processing contravenes the law due to the incomplete or inaccurate nature of
their opposition), as well as the conditions under which these rights may be exercised;
whether the answers to the questions used to collect the data are mandatory or
including the possible consequences of refusing to answer questions through
which collects the information.
17. Informing the subjects of personal data regarding
the particularities of the personal data processing operations in the periods
It is recommended that elections be conducted and generalized through the media
republican or local level, as appropriate, including by displaying information
corresponding on the information panels of local and central public authorities and
use of available means of communication (telephone, posters, internet).
18. The subjects of personal data - voters, will be assured the right
access and the possibility to get acquainted with the electoral lists for the purpose of verification
the correctness of their preparation, the contestation against their non-inclusion in the list or their exclusion
from it, as well as against other errors committed in entering the data about himself or herself
about other voters. In this regard, the persons responsible for processing the data with

Page 10

personal content contained in the electoral lists, will ensure the access of the citizen only to
personal data that directly concern him, the possibility being excluded
consultation of personal data concerning other subjects, contained in the lists
unless the applicants are pursuing a legitimate interest
does not prejudice the interests or fundamental rights and freedoms of the subject
personal data.
19. In case of placing the personal data contained in the electoral lists
through the official website of the Central Electoral Commission or the authority
technical solutions to the exclusion are to be put in place
unrestricted access to them, ensuring the technical program measures,
specialized in information security, protection measures for confirmation
unequivocal identity of the subject of personal data, who realizes
the right of access or rectification, by excluding unauthorized access to these data.
20. In case of realization by the subject of personal data of the right
intervention, inaccurate data is to be updated by rectification or deletion, as
base serving only legal sources (identity documents, marital status, information resources
main state, etc.), the change will be made in all records
managed for electoral purposes.
21. Disclosure by transmission, dissemination or otherwise of data with
personal processing processed for electoral purposes is to be prohibited, except
cases when the subject of personal data has given his consent, when
the information is depersonalized whenever the law expressly provides for the right of its recipient
of the third party in this respect.
V. Storage, storage and destruction of personal data
processed in the electoral process
22. Storage and retention of personal data recorded in
electoral documents, to be carried out in strict accordance with the provisions
art.62 Electoral Code, the Central Electoral Commission having the right to decide
on their finality taking into account the provisions of art. 4 para. (1) lit. e) of the Law
on the protection of personal data.
23. Access to the spaces where the information and information systems are located
evidence of personal data is to be restricted, being allowed only
persons who have the necessary authorization and only during business hours, according to
the institutional security policy approved by each operator.
24. Storage and storage in computers of electronic data format with
personal, structured in record systems, which are connected to the Internet, which
they are not equipped with special technical and program protection means and are not installed
licensed programs, antivirus programs, software security control systems, de
ensuring that backups are regularly performed and audited is to be banned.
25. Storage of personal data on magnetic, optical, laser, de
paper or other information medium, on which it is created, fixed, transmitted,
receives, stores or otherwise uses the document and allows
its reproduction is to be ensured by placing them in safes or

Page 11

lockable and sealed metal cabinets. Access to safes and metal cabinets
to be monitored by keeping a register. Removal, without
authorization of personal data carriers within the security perimeter of
operator is to be banned.
26. Destruction / destruction of electoral documents and bearers of
information containing personal data is made by the operator or persons
authorized by the operator, based on clear instructions. If as
operators are the local public authorities, then the destruction / destruction is to be
carried out in accordance with the time limits indicated in the standard nomenclature of dossiers
town halls of communes (villages), municipalities (cities), based on a report. Into the
the situation in which the quality of operator belongs to the Central Electoral Commission, then
the destruction is to be carried out on the basis of the Regulation on the organization and
the functioning of the archive of the Central Electoral Commission approved by the Commission Decision
Central Electoral no. 1917 of October 21, 2008 and according to the provisions of the Code
electoral.
27. Annually, by January 31, personal data controllers will
present at the address of the National Center for Personal Data Protection of
Of the Republic of Moldova generalized report on systems security incidents
informational personal data in accordance with the provisions of point 91 of
Requirements.

