Data Protection

Data Protection: Data protection law in Moldova regulates the collection, processing, storage, and transfer of personal data, based on Law No. 133/2011 on Personal Data Protection, which is largely modelled on the EU Data Protection Directive and incorporates GDPR-aligned principles.

Moldova's data protection framework is set out primarily in Law No. 133/2011 on Personal Data Protection. As part of its EU Association Agreement, Moldova has committed to aligning its data protection rules with EU standards, and the law was significantly updated to reflect GDPR principles. The supervisory authority is the National Authority for Personal Data Protection (Autoritatea Națională pentru Protecția Datelor cu Caracter Personal, ANDPDP), which has investigative and enforcement powers.

Personal data may only be processed if at least one of the following legal bases applies: the data subject's explicit consent, performance of a contract to which the data subject is a party, compliance with a legal obligation, protection of the data subject's vital interests, performance of a task carried out in the public interest, or the legitimate interests of the controller (subject to a balancing test). Special categories of sensitive data — including health data, biometric data, and data about criminal convictions — are subject to additional restrictions.

Controllers and processors of personal data in Moldova must implement appropriate technical and organisational security measures to protect data against unauthorised access, alteration, disclosure, or destruction. They must maintain records of processing activities and, for higher-risk processing, carry out a data protection impact assessment (DPIA). Data subjects have the rights to access their data, request correction, request deletion, object to processing, and obtain data portability.

Transfers of personal data to countries outside Moldova are subject to restrictions. Transfers to EU member states and countries with an adequacy decision are generally permissible. Transfers to other third countries require appropriate safeguards such as standard contractual clauses or binding corporate rules. Given Moldova's Association Agreement and its EU candidacy status, there is significant alignment with EU transfer rules.

Non-compliance with Moldova's data protection law can result in warnings, orders to stop processing, and administrative fines. ANDPDP has the power to impose fines of up to 3% of the controller's annual turnover in Moldova for certain categories of infringement. In serious cases, criminal liability can also arise. Foreign companies processing data about Moldovan residents — even without a local establishment — should assess whether Moldovan data protection law applies to them.

Key Facts About Data Protection in Moldova

The primary law is Law No. 133/2011 on Personal Data Protection, aligned with EU GDPR principles.
The supervisory authority is ANDPDP (Autoritatea Națională pentru Protecția Datelor cu Caracter Personal).
There are six legal bases for processing personal data, mirroring the GDPR framework.
Sensitive categories of data (health, biometric, criminal) are subject to additional processing restrictions.
Transfers of personal data outside Moldova require an adequacy decision or appropriate safeguards.

Common Mistake: Companies in Moldova often rely on blanket consent clauses buried in terms and conditions as the sole legal basis for all data processing. This approach is not compliant: consent must be freely given, specific, informed, and unambiguous for each processing purpose. Relying on consent where another legal basis (such as contract performance or legitimate interest) would be more appropriate creates ongoing compliance risk.

Expert Tip: Conduct a data mapping exercise before launching any new product or service in Moldova that involves collecting personal data. Identify what data you collect, why, for how long, and to whom it is transferred. Register with ANDPDP if required, draft a compliant privacy policy, and build data subject rights fulfilment processes into your operations from the outset.

Frequently Asked Questions

Does EU GDPR apply to businesses operating in Moldova?

The GDPR is an EU regulation and applies directly only in EU/EEA countries. However, it applies extraterritorially to businesses outside the EU that offer goods or services to EU residents or monitor their behaviour. If a Moldovan business has EU customers, GDPR is likely to apply in addition to Moldovan law. Moldova's own Law No. 133/2011 applies to all processing of personal data about Moldovan residents.

Do I need to register with ANDPDP as a data controller in Moldova?

Controllers that process certain categories of data (including health data, financial data, and data used for monitoring) must notify ANDPDP before commencing processing. A simplified notification regime applies to lower-risk processing. ANDPDP maintains a public register of notifications. Always check whether your specific processing activities trigger a notification obligation.

What are the penalties for data protection breaches in Moldova?

ANDPDP can impose administrative sanctions including written warnings, orders to cease processing, and fines of up to 3% of annual Moldovan turnover. For natural persons acting as controllers, fixed fines of up to 20,000 Moldovan lei can apply. In cases of wilful unauthorised disclosure or use of personal data, criminal charges under the Criminal Code (Article 177) may also be brought.

Key Facts About Data Protection in Moldova

Frequently Asked Questions

Does EU GDPR apply to businesses operating in Moldova?

Do I need to register with ANDPDP as a data controller in Moldova?

What are the penalties for data protection breaches in Moldova?

Need a Lawyer in Moldova?