by office

News21 January 20260 comments

Legal Expert Review: Moldova’s New Personal Data Protection Law

On 25 July 2024, the Parliament of the Republic of Moldova adopted Law No. 195/2024 on personal data protection (“Law No. 195/2024”). Law No. 195/2024 will replace the current framework established under Law No. 133/2011 and will become applicable as of August 2026.

The new legislation substantially transposes Regulation (EU) 2016/679 (the “GDPR”) and constitutes one of the most far-reaching legislative reforms affecting companies that process personal data in the Republic of Moldova, or in connection with individuals located on its territory.

A regulatory framework aligned with EU standards

Law No. 195/2024 establishes a structured legal framework built on the architecture of the GDPR, governing, inter alia, the obligations of controllers and processors, the rights of data subjects, the regime applicable to personal data transfers, as well as specific processing scenarios addressed distinctly from the general rules. Through this structure, Moldovan legislation is brought into genuine alignment with European Union standards, moving beyond the largely formalistic approach of the previous framework and embedding the core enforcement mechanisms that underpin effective data protection.

Controller accountability and the duty to demonstrate compliance

A core feature of Law No. 195/2024 is the express codification of controller accountability, including the controller’s obligation to be able to demonstrate compliance with the fundamental principles governing personal data processing. In practical terms, this is reflected in, among others, the following requirements:

• maintaining records of processing activities (RoPA);
• carrying out data protection impact assessments (DPIAs) for high-risk processing;
• implementing appropriate technical and organisational measures to ensure and evidence compliance;
• appointing a data protection officer (DPO), where required by law; and
• clarifying and documenting the roles and arrangements between controllers, joint controllers and processors.

Territorial scope and impact on foreign companies

Law No. 195/2024 expressly regulates its territorial scope, closely following the GDPR model. Accordingly, it applies not only to controllers established in the Republic of Moldova, but also to controllers without a local establishment where the processing relates to: (i) the offering of goods or services to individuals located in the Republic of Moldova; or (ii) the monitoring of their behaviour.

For international groups, these rules may trigger additional compliance obligations, including (as applicable) the designation of a local representative in the Republic of Moldova and a review of cross-border data flows and governance arrangements to ensure the group can demonstrate compliance in practice.

International transfers of personal data

The regime governing international transfers is set out in a dedicated chapter and is aligned with the transfer mechanisms under the GDPR. Law No. 195/2024 enshrines the general principle for international transfers and expressly regulates, among others:

• adequacy decisions;
• appropriate safeguards (including contractual and other recognised safeguards);
• binding corporate rules (BCRs);
• derogations applicable in specific circumstances; and
• international cooperation aspects relevant to cross-border enforcement and coordination.

The supervisory authority and enforcement mechanisms

Law No. 195/2024 dedicates a separate chapter to the National Centre for Personal Data Protection (Ro: Centrul Național pentru Protecția Datelor cu Caracter Personal) (the “Centre”). The Centre’s mandate is to supervise and monitor the application of data protection legislation, with a view to safeguarding the fundamental rights and freedoms of individuals.

In this context, Law No. 195/2024 provides a more detailed enforcement framework, including:

• procedures for handling complaints, examinations and investigations in cases of suspected infringements of data protection rules; and
• a sanctions regime, including administrative fines and the procedure for imposing penalties for violations of data protection legislation.

Depending on the nature and gravity of the infringement, fines may reach MDL 1,000,000, or, for undertakings, up to 1% of the annual turnover (and up to MDL 2,000,000 or 2% of the annual turnover, respectively), with the higher amount being applied.

The law also provides for a phased / progressive application of sanctions in the first years following its entry into force. However, in the case of serious or systemic infringements, the financial and reputational exposure for controllers can become significant.

Legal benchmarks for sustainable compliance

In GDPR-aligned jurisdictions, case law and regulatory practice consistently treat data protection compliance not as a checklist of isolated obligations, but as a coherent legal system built around how personal data is actually processed in practice by the controller.

Against this background, sustainable compliance is typically structured around a set of core legal benchmarks:

1. Determining the entity’s legal role. 

The organisation must be able to demonstrate: (i) whether it acts as a controller, joint controller, or processor; (ii) that this qualification reflects its real degree of control over the purposes and means of processing; and (iii) that its contractual arrangements with third parties accurately mirror the operational reality.

2. Mapping and documenting data flows

A foundational compliance exercise is to identify the categories of data processed and to map the full “data journey”: collection, use, disclosure, transfer, storage, archiving, and deletion. This mapping forms the framework against which lawfulness, proportionality, and necessity are assessed.
In practice, the organisation should identify and document: (i) what categories of personal data are processed; (ii) the sources of collection; (iii) the purposes of use, including necessity at the point of collection; (iv) recipients of disclosures; (v) the existence of external transfers; and (vi) retention periods and deletion methods.

3. Lawfulness of processing and the applicable legal bases

For each category of data and each processing flow, there must be: (i) a specific and legitimate purpose; (ii) an applicable legal basis; (iii) proportionality between the purpose and the data processed; and (iv) documented reasoning supporting the chosen legal basis. A recurring practical risk is the reflexive or inappropriate reliance on consent or other bases without a robust justification.

4. Records of processing activities

Controllers must maintain records reflecting, at a minimum: processing purposes, categories of data and data subjects, recipients and transfers, retention periods, and security measures. 

5. Storage, retention, and deletion

Controllers should ensure defined retention periods, deletion and anonymisation procedures, and clear archiving rules. A typical risk identified in practice is the indefinite retention of data without a lawful and documented justification.

6. Transparency and data subject rights

The data controller should ensure two key aspects:

• Providing information to data subjects, ensuring that the privacy notices/information provided are complete, accurately reflect the actual personal data flows, and are kept up to date to cover recipients, transfers and retention periods.
• Facilitating the effective exercise of data subject rights, meaning that the controller must have operational procedures in place for handling rights requests, comply with the applicable statutory timelines, and maintain records of requests received and responses provided.

7. Disclosures and international transfers

Data controllers should be able to explain to whom data is disclosed, on what legal basis, whether transfers occur outside the jurisdiction, and which legal mechanism supports each transfer.

For cross-border transfers, there should be an applicable transfer mechanism, documentation ensuring continuity of protection for each transfer, and a careful, defensible use of any permitted derogations.

8. Outsourcing and control of the processing chain

When engaging processors, controllers must ensure documented instructions, appropriate safeguards, and control over sub-processing—bearing in mind that the controller remains accountable for the end-to-end processing chain.

9. Security and incident management

Controllers must be able to demonstrate appropriate technical and organisational measures, incident-handling procedures, risk assessment as to the rights and freedoms of data subjects, decision-making documentation, and, where required, notification to the competent authority.

10. Workforce management and internal discipline

Sustainable compliance also requires staff training, confidentiality obligations, access controls, and internal rules on personal device use and access to systems containing personal data.

Under Law No. 195/2024, documentation should not be treated as a formalistic exercise, but as a core instrument of legal protection. Records of processing, internal policies and procedures are relevant only to the extent that they accurately reflect operational reality and enable the controller to demonstrate, in concrete terms, effective control over personal data processing.

European practice shows that the distinction between sustainable compliance and compliance vulnerable to audits or disputes often turns on the quality of this documentation and the organisation’s ability to link it to actual processing practices. As Law No. 195/2024 approaches applicability, a structured legal assessment of data flows and the internal compliance framework is a necessary step to mitigate both legal and reputational risk.

If you would like to discuss your organisation’s readiness or have any questions on the practical implications of the new law, please feel free to reach out to ACI Partners.

This material is prepared by Nicolina Țurcan,
Senior Associate, ACI Partners.