Moldovan DPL

Law No. 195/2024 on the Protection of Personal Data

Flag of MD
MoldovaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
August 23, 2026
Enacted
July 25, 2024
Enforcing Authority
NCPDP (National Centre for Personal Data Protection)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Moldova

Overview

Moldova enacted a comprehensive GDPR-aligned data protection law on July 25, 2024, with enforcement beginning August 23, 2026 after a two-year preparation period. The law fully transposes the GDPR into Moldovan legislation, though the maximum penalty is capped at 1% of turnover rather than the GDPR's 4%.

What This Means for Your Website

  • Explicit consent will be required before processing personal data of Moldovan visitors, including through cookies
  • The law is not yet enforced — the two-year preparation period runs until August 23, 2026
  • When enforcement begins, data minimization and purpose limitation principles will apply
  • Maximum penalties are up to 1 million Moldovan lei or 1% of annual turnover

Key Requirements

The NCPDP (National Centre for Personal Data Protection) is established as the independent enforcement authority. The law requires explicit consent for personal data processing, purpose limitation, data minimization, and provides standard data subject rights. Penalties cap at 1% of turnover, significantly lower than GDPR levels. Enforcement begins August 23, 2026.

How ConsentStack Handles This

ConsentStack will apply GDPR-aligned consent standards for Moldovan visitors when enforcement begins in August 2026, ensuring websites are prepared for the new requirements.

Penalties

Up to 1 million Moldovan lei or up to 1% of annual turnover for companies.

Maximum Fine
MDL1,000,000 aggregate
Revenue-based
1% of annual revenue

Key Requirements

  • Explicit consent before personal data processing including cookies
  • Data collected only for legitimate, specific, and stated purposes
  • Data minimization principle
  • NCPDP notification and cooperation requirements
  • Right to withdraw consent at any time

Notable Provisions

  • Not yet enforced — two-year preparation period until August 23, 2026
  • Fully transposes GDPR into Moldovan law
  • Maximum penalty of 1% turnover (lower than GDPR 4%)
  • NCPDP established as independent enforcement authority

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
Loi Informatique et LibertésFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

When does Moldova's data protection law take effect?

August 23, 2026. The law was enacted in July 2024 with a two-year preparation period before enforcement begins.

Is Moldova's law aligned with GDPR?

Yes. Law 195/2024 fully transposes the GDPR into Moldovan legislation, including consent requirements, purpose limitation, and data minimization.

What are the penalties under Moldova's data protection law?

Up to 1 million Moldovan lei or 1% of annual turnover — lower than the GDPR's 4% cap.

Stay compliant with Moldovan DPL

ConsentStack helps you implement Opt-in consent for Moldova automatically.

Get started free