Personal Data in Moldova 2026: Business Checklist

13.05.2026 Colenco Legal

What changes for businesses by 23 August 2026

Law No. 195/2024 on personal data protection takes effect on 23 August 2026; until then, Law No. 133/2011 continues to apply.
The new rules are not only for IT companies: any business that works with customers, employees, candidates, newsletters, CRM, video surveillance or external providers processes personal data.
Real preparation is not just buying a privacy policy template. It means knowing what data you collect, why, on what legal basis, for how long you keep it and who receives it.
Businesses should separately check individual rights, processor contracts, security, incident response and whether a DPO is required.

The new law brings Moldova closer to the GDPR approach: less reliance on formal “we have consent” language and more accountability for the full data-processing cycle. For businesses, this is not a reason to panic, but it is a reason to review data processes before CNPDCP starts applying the new regime in practice.

First, understand what personal data you already have

Personal data is not only an IDNP or a passport copy. In business, it usually includes customer names, phone numbers, emails, delivery addresses, order history, employee data, candidate CVs, camera recordings, messenger conversations, CRM records, payment information and other information that can directly or indirectly identify a person.

Start with a simple data map:

what data you collect from customers, employees, candidates and individual partners;
where it is stored: website, CRM, Google Drive, accounting software, cloud, cameras, paper archives;
who has access inside the company;
which providers receive data: accountant, IT support, email service, cloud provider, marketing agency;
how long the data is actually kept and who is responsible for deletion.

CNPDCP’s practical guidance recommends starting with clarity: what data exists, where it is located and for what purpose it is used. For a small business, this does not need to be a large audit. Often, a table covering key processes is enough: sales, delivery, HR, newsletters, video surveillance and customer support.

A privacy policy alone is not enough

A privacy policy is useful, but it does not make processing lawful by itself. The new logic is based on principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

In practice, check whether:

there is a clear purpose for each type of data;
you are not collecting more than you need “just in case”;
you have selected the correct legal basis, instead of using “consent” automatically for everything;
you explain what data you collect, why, how long it is kept and what rights the person has;
there is a retention period after which data is deleted or anonymized;
you can prove that the rules are not only written, but actually applied.

Consent is often misused. It should not replace a contract, legal obligation or another applicable legal basis. For example, data needed to perform a contract with a customer and data used for marketing may require different bases and different notices.

Individual rights require an internal response process

Law No. 195/2024 strengthens the role of the individual in controlling their data. CNPDCP guidance refers to data subject rights, including information, access, erasure and other rights under Articles 13-22. If a person submits a request, the controller cannot simply ignore it: the request must be registered and answered within the legal deadline. CNPDCP’s practical material indicates a deadline of no more than one month from receipt.

Businesses should decide in advance:

which email or address receives personal data requests;
who inside the company reviews those requests;
how the requester’s identity is confirmed if there is a risk of disclosing data to the wrong person;
where the receipt date and response date are recorded;
who decides on refusal, partial response or deletion;
how evidence of the response is kept.

This matters especially for companies with active sales, HR processes and newsletters. A “delete my data” request may not reach a lawyer first; it may come to an Instagram manager, chat operator or HR specialist. If the team does not know what to do, the deadline can easily be missed.

Providers, DPOs and incidents: three high-risk areas

If data goes to providers, responsibility does not disappear. CNPDCP specifically notes that when working with processors, such as an accountant, IT company or cloud service, responsibilities should be set out in a contract or clear clause. At minimum, check who processes data on your behalf, where the services are located and what happens to the data when the contract ends.

The second area is the DPO, or data protection officer. Do not oversimplify this: not every business must appoint a DPO. According to CNPDCP guidance, designation is mandatory in certain cases and may be recommended when it is not mandatory. The safer step is to check whether the company falls into a mandatory case and who actually owns privacy processes internally.

The third area is security incidents. This does not mean only a cyberattack. An incident may be a customer database sent to the wrong recipient, a lost laptop, public access to a spreadsheet, a weak password or a former employee retaining CRM access. Before August 2026, prepare a short response process:

who receives the incident report;
how access is quickly restricted;
who determines what data was affected;
when individuals or CNPDCP need to be informed;
how the decision is documented.

What to do before August 2026

Do not leave preparation until the last week. For most companies, a reasonable plan looks like this.

First, bring order to your data: create a processing map, remove unnecessary fields from forms, check access to CRM, cloud, email and cameras, and assign someone responsible for personal data questions.

Second, update documents: website privacy notice, consent forms where they are actually needed, internal retention rules, processor contracts or clauses, and the process for responding to individual requests.

Third, review higher-risk processes: marketing newsletters, HR databases, video surveillance, cross-border services, cloud storage, children’s data or sensitive data if present. These processes may require a deeper legal assessment, including whether a DPO or impact assessment is needed.

The key point is simple: Law No. 195/2024 is not about a nice “Privacy Policy” page. It is about a manageable system. If a business already knows what data it collects, why, who receives it and how requests and incidents are handled, the transition to the new rules will be much calmer.

If you have a website, CRM, newsletters, video surveillance, an HR database or providers with access to customer data, check those processes early. A lawyer can help separate mandatory requirements from unnecessary bureaucracy and adapt documents to your actual business model.