Personal Data Protection, Version 2.0: Implications of Law No. 195/2024, Part I

On 23August 2026, Law No. 195 of July 25, 2024 will enter into force, establishing a new legislative framework in the field of personal data protection.

The purpose of the new law is to align the legislation of the Republic of Moldova with European standards—particularly the EU GDPR (Regulation (EU) 2016/679)—by providing a modern framework for personal data protection.

2.1. Alignment with the GDPR The new regulation largely adopts the structure and principles of the General Data Protection Regulation (GDPR), establishing a modern approach to data protection. The focus is placed on prevention and on integrating data protection into organizations’ internal processes. In practice, this translates into the introduction of concrete obligations for controllers, such as documenting processing activities, assessing risks, and implementing internal control mechanisms, alongside a significant expansion of the rights of data subjects. 2.2. Controller Accountability The principle of accountability becomes one of the central pillars of the new law. The controller is no longer merely required to comply with the law but must be able to demonstrate compliance at any time. This obligation involves adopting appropriate technical and organizational measures depending on the nature, purpose, and risks of processing. In practical terms, controllers must implement internal policies, ensure data security through appropriate technical solutions, establish procedures for managing incidents, and maintain clear records of processing activities. At the same time, staff training and the development of an organizational culture focused on data protection become essential elements. Depending on the nature of the processed data, the controller is required to adopt appropriate technical and organizational measures, such as: • Updated internal policies on data protection, data minimization, and restricted access; • Technical and organizational procedures such as encryption, IT security, and pseudonymization; • Security incident procedures and breach response plans; • Records of processing activities—documenting all personal data processing operations; • Conducting data protection audits; • Carrying out impact assessments for high-risk processing; • Appointing a data protection officer; • Annual staff training on compliance with legal provisions; • Developing codes of conduct. 2.3. Data Subject Rights The new law significantly strengthens the position of the data subject, transforming them into a genuine holder of control over their own data. Transparency is the starting point, with controllers required to provide clear, concise, and accessible information about data processing. Such information must be provided within no more than one month. If requests from a data subject are manifestly unfounded or excessive, particularly due to their repetitive nature, the controller may: a) charge a reasonable fee, considering the administrative costs of providing the information or taking the requested actions; or b) refuse to act on the request. In such cases, the controller bears the burden of demonstrating that the request is manifestly unfounded or excessive. Traditional rights—access, rectification, erasure, and restriction of processing—are complemented by modern rights such as data portability and the right to object, particularly in the context of direct marketing. A notable new element is the regulation of automated decision-making. The law limits its use in cases where it produces legal effects or significantly affects the data subject and imposes additional safeguards, including the right to human intervention and to challenge the decision. 2.4. Record of Processing Activities The new law requires personal data controllers and processors to maintain records of personal data processing. These records may be kept in physical or digital format and must include all processing operations carried out by an organization. Maintaining such a register is mandatory in the following cases: • The controller has at least 250 employees; • The processing is likely to pose a risk to the rights of data subjects (e.g., use of surveillance cameras, GPS tracking, etc.); • The processing is not occasional (e.g., processing employee or customer data); • The processing includes special categories of data, such as health, biometric, genetic data, or data revealing racial or ethnic origin, political opinions, etc.; The processing includes personal data relating to criminal convictions and offenses. The record of processing activities must include the following information: a) the name and contact details of the controller / controller’s representative / data protection officer; b) the purposes of processing—i.e., the organizational activities involving personal data processing (e.g., HR administration, marketing, contracts with suppliers or clients); c) a description of categories of data subjects and categories of personal data (e.g., employees, clients/patients, collaborators); d) categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations; e) where applicable, transfers of personal data to another country or international organization, including identification of that country or organization; f) where possible, the envisaged time limits for erasure of different categories of data; g) where possible, a general description of technical and organizational security measures (e.g., pseudonymization, encryption, access control, password protection, etc.).

In the context of the new regulation, data controllers can no longer afford a reactive or purely formal compliance approach. Law No. 195/2024 requires a genuine shift in approach, starting with a comprehensive assessment of processing activities. Identifying and documenting data flows—from purposes and data categories to recipients—is no longer just best practice but an essential condition for demonstrating compliance. Based on this analysis, organizations must build a solid internal framework through clear and updated data protection and information security policies. These must be supported by appropriate technical and organizational measures tailored to real risks—from access control and encryption to periodic system testing. Without such mechanisms, exposure to legal risks and sanctions becomes significant. At the same time, practical experience shows that the most frequent vulnerabilities are not technical but human. Therefore, employee training and the development of an organizational culture focused on data protection are not optional but represent a direct investment in risk reduction. Transparency toward data subjects also gains strategic importance. Controllers must be able not only to provide clear information about data processing but also to manage requests for exercising rights efficiently, promptly, and in a well-documented manner. This article is the first in a series dedicated to Law No. 195/2024, aiming to provide an in-depth analysis of its new provisions.