Lawyer found in violation of the Law on Personal Data Protection
The case was initiated after a complaint was submitted to the Centre against a lawyer who obtained information from the land (real estate) register about a real estate object belonging to a group of complainants. By a happy coincidence, those complainants were also lawyers. However, a number of questions remain unanswered with respect to the Court of Appeal’s decision and the interpretation that it gave to the respective legal provisions.
Subject matter of the complaint
The complainants stated that the lawyer received without their consent information from the state land register regarding a building belonging to them and then submitted this information to the court as part of the case-files. At the same time they claimed that the lawyer was not registered as personal data operator (the term used in Moldovan law for data controllers) under the Law on Personal Data Protection.
Following this complaint, the Centre issued a decision by which it found the lawyer guilty of breaching the requirements of the Law on Personal Data Protection. The lawyer later challenged this decision in court.
The violation found by the Centre
Moldovan Law on Personal Data Protection requires all operators of personal data to register with the Centre. They have to notify the Centre in advance before they start processing any personal data.
The Centre found that the lawyer by receiving the information from the public register and then submitting it to court processed personal data of the owners of real estate. Therefore, before carrying out these operations he should have notified the Centre as a personal data operator.
By failing to file a notification with the Centre, the lawyer allegedly breached the respective provisions of the Law on Personal Data Protection.
The position of the court
The first instance court and the Chisinau Court of Appeal maintained the arguments of the Centre.
The court dismissed the argument of the complainants with respect to the use of their personal data without their consent. It stated that the use of data in this case falls within the type of processing which does not require data subject’s consent as this took place within judicial proceedings (i.e., processing which is necessary for compliance with a legal obligation to which the controller is subject and is for the purposes of the legitimate interests pursued by the operator or by the third party to whom the data are disclosed) .
However, the court stated that the fact that the lawyer could obtain and use the data without the subject’s consent did not exempt him from the obligation to notify the Centre before processing those data.
The Court also mentioned that when processing the data the operator shall take appropriate organizational and technical measures to ensure data protection against destruction, modification, blocking, copying, disclosing and against other illegal activities.
Both the Centre and the court noted that practice of law by lawyers implies accessing personal data and that this fact imposes an obligation on lawyers to file a notification with the Centre.
The questions that remain unanswered
Despite the definite conclusion of both courts and the Centre, certain questions remain unclear in this case:
1) The Centre specifically stated that the lawyer was obliged to notify his own Register of contracts for legal assistance and the Register of certified acts (these are the types of registers held by lawyers which are provided for by the Law on the Bar).
However, the complaint arose not out of the use of the information contained in those two registers, but rather out of obtaining and using the information received from a publicly accessible land register. Under the provisions of the Law on Real Estate Cadastre the registration in real estate register is of open nature. The information about all registered rights to any real estate objects must be provided to any natural or legal person.
Thus, the information with respect to which the complaint arose is open and available to any member of the public. The court did not address this matter and focused only on the fact that the lawyer had not registered with the Centre as a personal data operator. Although non-registration or non-notification of the Centre might be considered a violation of the Law on Personal Data Protection in itself, both the Centre and the Court specifically linked non-registration and the use of these particular data (which are open to anyone as stated above).
2) The court did not consider (apparently none of the parties involved referred to this argument) the issue of whether the information in question should be regarded as personal data at all in the context of the Law on Personal Data Protection.
The Law specifically states that it applies to relations arising out of processing of personal data which form part of a filing system or are intended to form part of a filing system.
Therefore, it would be reasonable to expect the Centre and the courts to consider first the issue of whether the data in question formed or were intended to form part of a filing system. And if the court found that they did not, then all the rest of the questions would not be relevant and the case could be dropped.
The problem of whether specific data form part of a filing system is a core issue that is usually considered at the very beginning (you can see that in any manual on personal data protection). However, the decision of the Court of Appeal does not cover it all.
The decision of the Chisinau Court of Appeal is still subject to appeal to the Supreme Court of Justice. And these questions could be addressed by the supreme court of the country (if raised).