Clym Logo
MD flag

MD

Law No. 195/2024 - Republic of Moldova

Overview

Law No. 195/2024 on personal data protection is the Republic of Moldova’s main data protection law. Adopted in July 2024, the law repeals the previous 2011 framework and aligns Moldova’s data protection regime with Regulation (EU) 2016/679 (GDPR). Its purpose is to protect the fundamental rights and freedoms of individuals, in particular the right to private and family life, in relation to the processing of personal data.

Regulation Summary

  • 25 July 2024 – Law No. 195/2024 adopted by Parliament.
  • 23 August 2024 – Published in the Official Monitor.
  • 23 August 2026 – Law enters into force (24 months after publication in the Official Monitor of the Republic of Moldova).

  • Controllers and processors established in the Republic of Moldova.
  • Organizations outside Moldova that offer goods or services to individuals located in Moldova.
  • Organizations that monitor the behavior of individuals in Moldova.
  • Public authorities, private companies, and non-profit organizations that process personal data, when international agreements require Moldovan law to apply.

  • Processing for purely personal or household activities.
  • Processing related to national security, defense, and public order, as regulated by sector-specific laws.
  • Processing by competent authorities for criminal law enforcement purposes.
  • Processing of data relating to deceased persons, except where the law provides otherwise.

  • Process personal data lawfully, fairly, and transparently.
  • Collect data for specified and legitimate purposes.
  • Limit processing to data that is relevant and necessary.
  • Delete individuals' personal data when it is no longer necessary.
  • Maintain data accuracy and update personal data when required.
  • Apply appropriate technical and organizational security measures.
  • Demonstrate accountability for compliance with data protection obligations.

  • Publish clear and accessible privacy notices.
  • Inform users about the purposes and legal basis for data processing.
  • Obtain and log valid consent where required, and allow users to withdraw consent.
  • Put mechanisms in place to handle data subject requests.
  • Implement security measures for online data collection and transmission.

  • Conduct data protection impact assessments for high-risk processing activities.
  • Appoint a data protection officer where required by the law.
  • Notify the supervisory authority of personal data breaches within the timelines set by the law.
  • Maintain records of processing activities where required and sign data processing agreements.
  • Notify affected individuals where a breach poses a high risk to their rights and freedoms.
  • Apply safeguards for cross-border data transfers.

  • Right of access to personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure in cases provided by law.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing, including profiling.
  • Right not to be subject to a decision based solemnly on automated processing.

  • Supervisory authority: National Center for Personal Data Protection of the Republic of Moldova.
  • The law provides for administrative sanctions and corrective measures for violations of data protection obligations.
  • Administrative fines follow a phased application model after the law enters into force:
    • 23 August 2026 to 22 August 2027: up to 10% of the calculated administrative fine.
    • 23 August 2027 to 22 August 2028: up to 40% of the calculated administrative fine.
    • From 23 August 2028 onward: up to 100% of the calculated administrative fine.
  • Fine assessments consider factors similar to the GDPR, including the nature, gravity, duration, and intent of the infringement, as well as cooperation with the supervisory authority.
Book a demo