Data protection sits in an awkward middle ground for a Moldovan societate cu răspundere limitată selling into the European Union. The entity is established outside the bloc, so EU primary law does not apply by default. The moment it offers a service to a German consumer or a French business it crosses into extraterritorial scope and inherits an obligation set broader than its domestic statute. Founders need to understand which regime governs which data and what the compliance stack looks like in practice.
When a Moldovan SRL becomes subject to EU GDPR
The triggering provision is Article 3(2) of the General Data Protection Regulation. It extends the regulation to controllers and processors established outside the European Union where the processing relates to the offering of goods or services to data subjects in the Union (subparagraph a) or the monitoring of their behaviour within the Union (subparagraph b). The geographic location of the SRL is not determinative; the residence of the affected individuals at the time of processing is.
For a Moldovan SaaS that takes its first paying customer in Berlin, the GDPR engages on the first transaction. The marketing site alone does not create exposure: the European Data Protection Board has confirmed in Guidelines 3/2018 that mere accessibility from the Union is insufficient. The targeting test asks whether the controller envisages offering services to EU data subjects, with indicators including euro pricing, EU-language site versions, and references to an EU customer base. The behavioural-monitoring limb catches activity many founders underestimate: tracking cookies, behavioural analytics across an installed app, and profiling for ad targeting all engage GDPR independently of any sale.
Article 3(2) is the threshold. The targeting test, not the company's place of establishment, decides whether GDPR applies to a Moldovan SRL.
When GDPR applies, it applies in full: lawful basis under Article 6, transparency under Articles 13 and 14, data-subject rights under Articles 15 to 22, security under Article 32, and breach notification within 72 hours under Article 33. Domestic Law 133/2011 continues to apply in parallel to processing that has a Moldovan nexus.
The adequacy gap and EU-Moldova data flows
The European Commission has not, as of 2026, adopted an adequacy decision for Moldova under Article 45 of the GDPR. The practical consequence is that personal-data transfers from an EU controller to a Moldovan recipient need a transfer mechanism under Chapter V rather than running on adequacy alone.
The default mechanism for commercial transfers is the Standard Contractual Clauses adopted by the Commission in 2021. The SCCs come in four modules covering each combination of controller-to-controller and processor flows. A Moldovan SaaS acting as a processor for a French controller signs the Module Two clauses and accompanies them with a transfer impact assessment addressing Moldovan law on government access to data, including the AML provisions in Law 308/2017, and supplementary technical or contractual measures that meet the Schrems II standard. A reasonable assessment for a commercial SaaS engagement concludes that SCCs plus standard encryption, access controls, and a clear lawful-basis statement are sufficient.
Scenario · Mechanism · Supplementary measures
- Moldovan SaaS processing EU customer data · SCCs Module Two + TIA · Encryption at rest and in transit
- Moldovan subsidiary of EU group · SCCs Module One or BCRs · Group-level access controls
- Marketing data shared with EU partner · SCCs Module One · Purpose limitation, retention cap
- Sub-processor in third country · Back-to-back SCCs · Onward-transfer notification
The reverse direction, Moldovan to EU, has no GDPR transfer issue because the data is moving into the protected jurisdiction rather than out of it. Local Law 133/2011 transfer rules continue to apply on the Moldovan side and are broadly accommodating for transfers to EU member states.
The Article 27 EU representative requirement
A Moldovan SRL subject to GDPR under Article 3(2) must, under Article 27, designate a representative established in the European Union. The representative is named in the privacy notice, is the point of contact for supervisory authorities and data subjects on GDPR matters, and holds the records those parties may need.
The exemption in Article 27(2) is narrow: occasional processing that does not include large-scale special-category or criminal-conviction data and is unlikely to result in a risk to data subjects. The European Data Protection Board reads it tightly. A SaaS business processing EU customer data as a regular feature of its operating model does not qualify, regardless of customer count.
Representatives are a commodity service in 2026. Specialist providers offer the service at a fixed annual fee, holding a registered address in a member state, maintaining Article 30 records, and routing supervisory-authority correspondence to the controller. The representative does not assume controller liability. Choosing the member state is a judgement call: Ireland and the Netherlands are popular for English-language work, while Germany and France have the largest body of regulatory practice.
Law 133/2011 and the CNPDCP
Domestic data protection in Moldova is governed by Law 133/2011, supervised by the Centrul Naţional pentru Protecţia Datelor cu Caracter Personal (CNPDCP). The statute predates the GDPR and was drafted in alignment with the Council of Europe Convention 108 framework. It is being progressively amended to align with the GDPR as part of the acquis approximation programme attached to accession negotiations.
For a Moldovan SRL that is also subject to GDPR, Law 133/2011 adds local obligations on top of the European baseline: notification of processing activities to CNPDCP, registration in the central register where applicable, and Moldovan-language documentation. In practice the two regimes are usually compatible: a GDPR-grade compliance programme will satisfy Law 133/2011 on the substantive issues, with a thin local-language documentation layer added for CNPDCP purposes.
Practical compliance stack
A Moldovan SRL building a GDPR-compliant operating model needs five workstreams. The first is the privacy notice satisfying Articles 13 and 14, identifying the controller, naming the Article 27 representative, and setting out the lawful basis for each activity. The second is the DPA layer: Article 28 agreements with every sub-processor and back-to-back DPAs with each EU customer that uses the SRL as a processor. The third is the transfer-mechanism layer: SCCs where data moves out of the EEA, with TIAs held in the file.
The fourth is the Article 30 record of processing activities, an internal register listing each activity, the categories of data and data subjects, the purposes, the lawful basis, retention, recipients, and transfer mechanism. The fifth is the data-subject request process: an inbound channel, identification step, and response templates for the access, rectification, erasure, restriction, portability, and objection rights. Operational practice is the same whether the customer base sits in e-commerce VAT and OSS structures or the regulated context covered by the IT and fintech guide. DPIAs under Article 35 are conditional, required only where processing is likely to result in a high risk to data subjects.
The GDPR stack is not large, but it is integrated. A privacy notice that does not match the Article 30 register, or SCCs without a transfer impact assessment, fails on first inspection.
What changes on accession and adequacy
Two separate processes will move the picture forward. The first is the EU accession trajectory itself. Negotiations were opened in June 2024 with a target closure on the substantive chapters by early 2028, as covered in the EU accession status note. On accession Moldova becomes a member state for GDPR purposes, the Article 27 requirement falls away, and the EU-to-Moldova transfer question dissolves into intra-Union flow.
The second process is an adequacy decision under Article 45, which the Commission can adopt in advance of full accession. A pre-accession adequacy decision would remove the SCC requirement on EU-to-Moldova transfers while leaving the representative requirement in place pending accession itself. Founders structuring an entity today should plan against the current state and treat any easing as a windfall. The architecture transfers cleanly to the post-accession state, as the AML advisory page and our formation overview deliberately design around.
Frequently asked questions
When does a Moldovan SRL become subject to GDPR?
The trigger is Article 3(2): offering goods or services to data subjects in the European Union, or monitoring their behaviour within the Union. The SRL's establishment in Moldova does not exempt it.
Does Moldova have an EU adequacy decision?
No, not as of 2026. EU controllers transferring personal data to a Moldovan recipient need a Chapter V transfer mechanism, typically the Standard Contractual Clauses with a transfer impact assessment.
Do we need an Article 27 representative?
A regular B2B or B2C SaaS will. The exemption applies only to occasional processing that does not include large-scale special-category data and presents low risk.
How does Law 133/2011 interact with GDPR?
Law 133/2011 applies to processing with a Moldovan nexus regardless of GDPR scope and runs in parallel where GDPR also applies. Alignment with the GDPR text is ongoing as part of accession.
What documents make up the practical compliance stack?
Privacy notice, processor and customer DPAs, SCCs with transfer impact assessments, Article 30 record of processing activities, data-subject request procedures, and conditional DPIAs.
Will accession change the SCC and representative requirements?
Yes. On accession Moldova becomes a member state for GDPR purposes, intra-EU flow no longer needs Chapter V mechanisms, and the Article 27 requirement falls away.
For a privacy notice review, an Article 27 representative introduction, or a transfer impact assessment template, arrange a call through the contact form. Data protection scoping is part of the first advisory conversation for any structure with EU-facing processing.