Data protection & privacy laws in Moldova (2026)

Law No. 133 of 8 July 2011 on Personal Data Protection has been in force since 14 April 2012. It was originally aligned with EU Directive 95/46/EC and has been amended (notably in 2022) to close gaps with GDPR, including a detailed regime for cross-border data transfers to EEA states and adequacy-recognised countries.

Adopted on 25 July 2024 and published in the Official Gazette, Law No. 195/2024 substantially transposes the EU GDPR and becomes applicable on 23 August 2026. It extends territorial scope to controllers without a Moldovan establishment where processing targets persons in Moldova (mirroring GDPR Article 3(2)).

The National Centre for Personal Data Protection (NCPDP) is the independent supervisory authority, mandated to monitor compliance, handle complaints, conduct investigations, issue guidance, and impose administrative sanctions. It operates under Article 19 of Law 133/2011 and will continue under Law 195/2024.

The new law codifies GDPR-style accountability: controllers must maintain Records of Processing Activities (RoPA), conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, implement appropriate technical and organisational measures, and appoint a Data Protection Officer (DPO) where required.

Law 195/2024 enshrines rights broadly equivalent to GDPR Articles 13–22: right to information, access, rectification, erasure, restriction, portability, and objection. Controllers must respond to data subject requests within one month of receipt.

Law 195/2024 introduces tiered administrative fines: up to MDL 1,000,000 for natural persons/non-undertakings, and for undertakings up to MDL 2,000,000 or 2% of annual worldwide turnover (whichever is higher), representing a significant escalation from the prior law's penalty framework.