Legal Grounds for Processing Personal Data in the Republic of Moldova (Part 2)

Introduction

The processing of personal data must always rely on a clear and justified legal basis. Under the General Data Protection Regulation (GDPR), which has also been adopted into the national legislation of the Republic of Moldova, there are six main legal grounds that allow data controllers to collect, use, and store personal data. This article provides a detailed overview of each legal basis, with practical examples and recommendations for proper application in both public and private sectors.

---

1. Consent – a sensitive legal ground

Consent is often used as a legal basis, but its proper application requires the fulfillment of several strict conditions:

• it must be freely given, specific, informed, and unambiguous;

• it is not valid if there is a power imbalance, such as between an employer and employee or a citizen and a public authority;

• it must not be hidden within lengthy terms and conditions, but clearly presented and separate.

Examples of questionable consent:

• A hospital requests a patient’s consent to share data with a pharmaceutical company — the patient may be in a vulnerable state.

• A school asks parents to consent to the use of children’s images for promotional purposes — social or psychological pressure may be involved.

• A streaming platform requires consent for profiling — without an option to use the service otherwise.

Recommendations:

• Use clear, simple language.

• Make withdrawal of consent as easy as giving it.

• Don’t rely on consent if another legal basis is more appropriate.

---

2. Contract performance or pre-contractual measures

This basis applies only if the data processing is truly necessary to:

• perform an existing contract (e.g. product delivery);

• take steps at the data subject’s request before entering into a contract (offers, reservations, negotiations).

Examples:

• An online store processes addresses to ship orders.

• A medical clinic processes data to perform medical tests.

• A public institution processes applications for subsidies or public space rentals.

Processing must not be extended to other purposes, such as marketing or profiling, unless directly related to the contract.

---

3. Legal obligation

Processing takes place under a legal obligation established by:

• laws;

• regulations;

• administrative orders or other normative acts.

Examples:

• The Tax Authority processes data to assess and collect taxes.

• Hospitals retain medical records according to the law.

• Employers transmit employee data to CNAS, CNAM, or tax authorities.

Consent is not required if a legal obligation exists.

---

4. Vital interests of the data subject

This basis applies only in exceptional cases, where:

• a person’s life or health is at risk;

• consent cannot be obtained.

Examples:

• Emergency medical care for an unconscious accident victim.

• Epidemics or natural disasters — data collection to protect public health.

• Identifying a lost child — police use databases to find the child’s identity and contact parents.

---

5. Public interest tasks or official authority

This applies when data processing is done:

• in the public interest (social aid, education, justice, etc.);

• by entities empowered by the state.

Examples:

• A town hall collects data to distribute social assistance.

• NGOs provide services to children under contracts with public authorities.

• Processing applications for heating compensation during winter.

---

6. Legitimate interest

This is the most flexible legal basis, but it requires:

• a real and justified interest;

• a clear impact assessment;

• a balance between the interests of the data controller and the rights of the data subject.

Acceptable examples:

• CCTV at a building entrance to prevent theft.

• Promotional emails to existing customers with opt-out options.

• Credit history checks before approving a lease.

Problematic examples:

• Continuous video monitoring of employees in the office.

• Profiling children to display targeted ads.

• Requesting phone numbers at checkout without explicit consent.

---

Conclusion

When processing personal data, it is essential to:

• choose the appropriate legal basis;

• ensure transparency, necessity, and security;

• document decisions and inform data subjects of their rights.

Selecting the correct legal ground is the foundation of lawful, ethical, and secure data processing.

Need a consultation?

We can help you — learn more here: Personal data protection in your company