Law no. 135 of 07.07.2017 amending the Electronic Communications Law no. 241-XVI of 15.11.2007, hereinafter "Law No 241/2007", in force since August 18, 2017, contains a chapter specifically dedicated to the protection of confidentiality in the field of electronic communications, which provides for specific conditions to guarantee the right to privacy protection in the processing of personal data used in electronic communications.
The provisions of the new chapter of Law no. 241/2007 apply to the processing of personal data related to the provision of publicly available electronic communications services through public electronic communications networks, including networks that support devices for data collection and identification, except cases when this work is performed:
a) within the framework of national defense and security actions, under the law;
b) within the framework of actions aimed at prevention, investigation, prosecution of criminal offenses and maintenance of public order, as well as other activities in the field of criminal procedure, carried out under the law.
The chapter specifies the rights of electronic communications service subscribers and users to personal data protection, the obligations of providers to ensure service and personal data security, as well as the responsibilities of the National Center for Personal Data Protection and ANRCETI in this area.
Thus, providers of publicly available electronic communications services are required to take appropriate technical and organizational measures to protect the security of the services. The measures must ensure a level of security adequate and proportionate to the existing risks and comply at least with the following conditions:
a) to ensure that personal data can only be accessed by authorized persons and for purposes specified by law;
b) protect stored or transmitted personal data against accidental or unlawful destruction, accidental loss or damage, and unauthorized storage, processing, access or disclosure;
c) to ensure the implementation of the security policy developed by the provider regarding personal data processing.
Where there is the risk of network security violation, providers are required to inform subscribers of this risk. Where the risk goes beyond the scope of the measures that may be taken by the providers, they must inform subscribers of possible solutions, including the costs involved. In case of a personal data violation, the provider shall notify the National Center for Personal Data Protection, without undue delay. Where a breach of personal data is likely to prejudice the personal or private life of a subscriber or user, the provider shall notify him of the breach without undue delay.
The new chapter of Law no. 241/2007 provides for a number of interdictions related to the tapping, recording, storing or other types of interception or surveillance of communications and data transfer, by persons other than the end-user participating in the communication, as well as related to storage and processing by providers of transfer data related to subscribers and users and billing of services offered to them, processing of location data, using dial-up and automatic communication systems, faxes or e-mail for advertising purposes, etc.
ANRCETI recommends that stakeholders, especially providers of electronic communications networks and services, to carefully observe the provisions of the new chapter of Law no. 241/2007, republished in the Official Gazette of the Republic of Moldova of 17.11.2017, in order to clearly identify the rights and obligations they have according to the law in the relation to the users, with other providers of electronic communications networks and services, with the National Center for Personal Data Protection and ANRCETI.