August 23, 2026 — Moldova Gets Its Own GDPR. What Companies Need to Do

In a few months, Law No. 195/2024 on the Protection of Personal Data enters into force in the Republic of Moldova. The law fully transposes the European GDPR into national legislation. Fines reach up to 2% of annual turnover. Here's a plain-language guide: who it applies to, what needs to be done, and where to start.

Key facts

• Entry into force: August 23, 2026 (24 months after publication on August 23, 2024, in Monitorul Oficial No. 367–369, art. 574).
• What the law does: fully transposes Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — into Moldovan national law.
• Who it applies to: any company or organization in Moldova that processes personal data. It also applies to foreign companies that offer goods/services to or monitor the behavior of individuals located in Moldova.
• Fines: up to 2,000,000 MDL, and for enterprises — up to 2% of the previous year's total annual turnover.
• What to do: bring your processes into compliance before August 23, 2026.

1. Why this matters for every Moldovan company

Many think: "GDPR is for Europe — it doesn't apply to us." In fact, it does, and now — officially, through a national law.

Law No. 195/2024 will replace the current Law No. 133/2011, which was based on the outdated Directive 95/46/EC. The new law is an almost word-for-word transposition of GDPR into Moldovan law. It applies to the processing of personal data by automated means, in whole or in part, as well as to manual processing if the data forms part of a filing system.

If you have an online store, a CRM, a SaaS product, a newsletter, a mobile application, a loyalty program, video surveillance in your office, or simply a customer database in Excel — you are a personal data controller. And the law applies to you.

The law also applies to foreign companies

Under art. 2 of Law No. 195/2024, the law applies to foreign controllers without an establishment in Moldova in two cases:

• they offer goods or services to people located in Moldova (even free of charge);
• they monitor the behavior of these people on Moldovan territory.

This means a foreign SaaS serving Moldovan customers is also subject to the law.

2. What changes compared to the 2011 law

There are six major changes.

2.1. Extended rights for data subjects

Every individual receives a set of rights similar to European GDPR:

• Right of access — to know what data is being processed, to whom it is transmitted, on what legal basis.
• Right to rectification of inaccurate data.
• Right to erasure ("right to be forgotten") — to demand deletion of data in cases provided by law.
• Right to restriction of processing.
• Right to data portability — to receive their data in a structured, machine-readable format and transfer it to another controller.
• Right to object to certain types of processing.
• Right not to be subject to automated decisions, including profiling, if these produce significant legal effects.

The deadline for responding to a request is, as a rule, one month.

2.2. Mandatory DPO in certain cases

The law introduces the role of Data Protection Officer (DPO). Appointing a DPO becomes mandatory for:

• public authorities;
• companies whose core activities involve systematic large-scale monitoring of data subjects;
• companies whose core activities involve large-scale processing of special categories of data (health, biometrics, political opinions, etc.) or criminal conviction data.

The DPO can be an internal employee or an external contractor. The DPO's contact details must be published and communicated to the National Center (CNPDCP).

2.3. Record of Processing Activities (RoPA)

The controller is required to maintain an internal record of all data processing activities: purposes, categories of data, categories of data subjects, recipients, retention periods, technical and organizational security measures. The record must be ready for inspection at any time.

2.4. Data Protection Impact Assessment (DPIA)

If processing is likely to result in a high risk to the rights and freedoms of individuals (large-scale profiling, video surveillance in public spaces, biometric processing, etc.), the controller is required to carry out a Data Protection Impact Assessment (DPIA) before starting the processing. If the residual risk remains high — a prior consultation with CNPDCP is required.

2.5. Incident notification within 72 hours

In case of a breach or other incident posing a risk to the rights of data subjects, the controller is required to notify the CNPDCP within 72 hours of becoming aware of it. If the risk is high — the affected data subjects must also be informed without undue delay.

2.6. Real fines

This is the most sensitive change. Under the current Law No. 133/2011, the maximum fine was expressed in conventional units under the Contravention Code. Under Law No. 195/2024:

• Up to 2,000,000 MDL — fine for the violating controller;
• For enterprises — up to 2% of total turnover for the previous year, including for failure to comply with a corrective measure imposed by the CNPDCP.

The law provides for a transitional period for applying sanctions: in the first year after entry into force, 10% of the imposed fine is applied; in the second year — 40%; from the third year — 100%. This means full fines can be imposed after August 23, 2028.

3. Checklist: what must be in place by August 23, 2026

If your company processes personal data in any volume — here is the minimum list of what must be in order by August 2026.

Legal part

1. Privacy Policy in all languages of the website/app, with mandatory elements per art. 13–14: controller identity, contacts, purposes, legal bases, retention periods, data subject rights, DPO contacts.
2. Consent forms — explicit, separated by purpose, easy to withdraw. No pre-ticked checkboxes.
3. Data Processing Agreements (DPA) with all subcontractors to whom you transfer data: hosting, CRM, marketing platforms, accounting services.
4. Record of Processing Activities (RoPA).
5. Internal policies: personal data security policy, access regulation, incident management procedure.
6. Cookie banner with granular consent by category.

Technical measures

1. Data encryption at rest (on disks) and in transit (TLS 1.2/1.3 everywhere).
2. Access control following the principle of least privilege + two-factor authentication for administrative accounts.
3. Audit logs protected from modification.
4. Backups with regular restoration tests.
5. Vulnerability management: regular patching, dependency scanning.
6. Pseudonymization and anonymization of data in test environments.

Processes

1. Data Subject Access Request (DSAR) handling procedure with an SLA of no more than 30 days.
2. Incident response plan with notification templates for CNPDCP and data subjects.
3. DPIA for high-risk processes (if any).
4. DPO appointment (if applicable) or designation of a responsible person.
5. Employee training program.

Cross-border transfers

If you use AWS, Google Cloud, Microsoft Azure, Mailchimp, HubSpot, or any other service hosting data outside Moldova — you need to verify the legal basis for the transfer and sign Standard Contractual Clauses (SCC) with the provider.

4. Where to start right now

There is less time until August 23, 2026, than it seems. Preparing for the law is not a one-week job. We recommend the following sequence:

Month 1. Discovery audit: understand what personal data your company processes, where it is stored, to whom it is transferred. In parallel — update the basic documentation (privacy policy, consents, contracts with subcontractors).

Months 2–3. Cover basic technical measures: encryption, access control, logging, backups.

Months 4–5. Implement data subject request handling and incident response processes. Conduct DPIA for high-risk processes.

Month 6. Appoint a DPO (if applicable), train employees, run a breach simulation exercise.

Ongoing thereafter. Keep the register up to date, refresh documents, conduct audits, monitor CNPDCP decisions.

5. How the WebDirect team helps

We — the WebDirect DevOps team — help businesses in Moldova address compliance tasks both point-by-point and comprehensively. We have separate services for each item on the checklist: from discovery audits and database encryption to DPO-as-a-Service and 24/7 SOC monitoring. You can start with a single small audit and gradually expand.

If you want to understand how prepared your company is for August 23, 2026 — write to us. The initial assessment takes 1–2 days and provides a clear roadmap.

---

Sources

• Law No. 195/2024 on the Protection of Personal Data — Monitorul Oficial No. 367–369, art. 574, dated 23.08.2024.
• Law No. 133/2011 on the Protection of Personal Data (current edition, in force until 22.08.2026).
• Regulation (EU) 2016/679 (GDPR).
• Official CNPDCP communication (datepersonale.md) on the publication of Law No. 195/2024.
• Ministry of Justice of the Republic of Moldova (justice.gov.md), communication dated 05.02.2025: "The law will enter into force on 23.08.2026".

This material is for informational purposes only and does not constitute legal advice. For individual matters, please consult a lawyer or contact the WebDirect team.