Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Romania

A practical guide to national GDPR compliance requirements across the EEA

Article
|
17 min read

Romania

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

Old legislation has been updated in addition to new legislation being passed.

———

(b) Relevant legislation includes:

  • Law No. 190 of 18 July 2018 regarding the Measures for the Application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 re the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repeal of the Directive 95/46/EC (General Data Protection Regulation) (the “Data Protection Act”)
  • Law No. 129 of 15 June 2018 re the Amendment and Supplementation of Law No. 102 of 2005 regarding the Organisation and Functioning of the National Supervisory Authority for Personal Data Processing and for repealing Law No. 677/2001 regarding the Protection of the Individuals re the Processing of Personal Data and Free Movement of Such Data

———

(c) What is the status of national pre-GDPR data protection law?

Most of the relevant pre-GDPR legislation has been repealed in full; however, Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector enacted prior to the issuance of the GDPR is still in effect.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

There are no specific rules governing this issue.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

The legislation implementing the GDPR does not provide specific rules for the processing of personal data in compliance with a legal obligation. However, there are other laws that include rules regarding the processing  of a personal data in compliance with a legal obligation. For example, accounting legislation (which includes provisions regarding the processing for the purposes of accounting and accounting records) regulates the relevant documents and information to be collected, as well as the minimum storage periods for the collected data.

In addition, in the context of employment, national law regulates:

  • the type of data that employers are required to collect and keep in the employee’s file; and
  • the applicable data retention periods.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The following safeguards must be implemented for the processing of personal data for the performance of tasks carried out in the public interest:

  • appropriate technical and organisational measures to comply with the principles set out in Art. 5 GDPR, namely, the principle of data minimisation and the principle of integrity and confidentiality;
  • the appointment of a DPO, where such an appointment is necessary; and
  • the establishment of storage periods based on the nature of the collected data and the purpose of processing, as well as specific periods in which the personal data must be deleted or reviewed for the purpose of deletion.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

There are no specific rules governing this issue.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

16 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

There are no specific rules on processing this category of data.

(ii) Substantial public interest

There are no specific rules on processing this category of data.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

There are no specific rules on processing this category of data.

(iv) Public interest in the area of public health

The processing of health data for the purposes of public interest in the area of public health cannot be carried out for other purposes by third entities.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

There are no specific rules on processing this category of data.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

The processing of genetic, biometric or health data for the purpose of automated decision-making or profiling is permitted with the express consent of the data subject, or if the processing is performed according to express legal provisions, with the establishment of appropriate measures that protect the legitimate rights, freedoms and interests of data subjects.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

There are no specific rules on processing this category of data.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

There are no specific exemptions to the right to be provided information.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The following articles of the GDPR are not applicable to the extent that the rights being derogated from are likely to make impossible or to seriously impair the achievement of the specific purposes of the processing, and such derogations are necessary for the achievement of the processing purposes:

  • Arts. 15-16, 18 & 21 GDPR do not apply where personal data are processed for scientific or historical research purposes; and
  • Arts. 15-16 & 18-21 GDPR do not apply where personal data are processed for archiving purposes in the public interest.

Appropriate safeguards for the rights and freedoms of data subject must be implemented (in accordance with Art. 89(1) GDPR).

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

In addition to the circumstances referred to in the GDPR, national law requires Impact Assessments to be carried out in the following circumstances:

  • when processing, on a large scale, personal data of vulnerable persons, especially minors and employees, by means of automatic monitoring and/or systematic recording of behaviour, including for commercials, marketing and advertising purposes;
  • when processing personal data on a large scale by innovative use or by the implementation of new technologies, particularly where such operations limit the capacity of data subjects to exercise their rights, such as the use of facial recognition technology for purposes such as access to premises;
  • when processing on a large scale the data generated by sensor devices that transmit data over the Internet or other means (such as Internet of Things (“IoT”) devices); and
  • when processing large-scale and/or systematic processing of traffic and location data of individuals (such as Wi-Fi monitoring, geographic location data processing of passenger in public transport or other similar cases) and such processing is not necessary for the provision of a service requested by the data subject.

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

The appointment of a DPO is mandatory in relation to the processing of national identification numbers for the purpose provided by Art. 6(1)(f) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs are not subject to secrecy obligations under national law.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Autoritatea Naționala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (in English: National Supervisory Authority for Personal Data Processing)
    • Address: 28-30 G-ral Gheorghe Magheru Bld., District 1, post code 010336, Bucharest, Romania
    • Website: dataprotection.ro

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

National law does not grant the DPA any additional powers beyond those in Art. 58 GDPR.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Decisions of the DPA may be appealed to the Administrative Litigation Section of the competent territorial Tribunal within 15 days of notification of the DPA’s decision.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

There are no specific rules on this issue.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Public authorities may be sanctioned with administrative fines when in breach of Arts. 8, 11, 25-39, 42-43 & 83(4)‑(6) GDPR. Fines may range between RON 10,000 (approx. €2,100) and RON 200,000 (approx. €42,000).

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

There are no additional penalties or sanctions.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

To ensure a balance between the right to protection of personal data, freedom of expression and the right to information, and processing for journalistic purposes or for the purposes of academic, artistic or literary expression, the law includes certain derogations set out in Q18(b) below.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

If the processing concerns personal data that were manifestly made public by the data subject or that strongly relate to the public character of the data subject, Chapters II-VII & X GDPR may be derogated from.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

Processing national identification numbers can be carried out in accordance with Art. 6(1) GDPR.

Where processing is carried out for the purpose set out under Art. 6(1)(f) GDPR, the following safeguards must be available:

  • implementing adequate technical and organisational measures for complying with the principle of reducing data, to ensure the security and confidentiality of the processing;
  • appointing a DPO;
  • setting storage periods, depending on the nature and purpose of the processing, as well as specific terms for the deletion or revision of the personal data; and
  • periodically training the persons responsible for processing the data on their obligations.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

Where electronic monitoring systems and/or CCTV equipment are used at the workplace, the processing of personal data of the employees for the purpose of achieving the legitimate interests pursued by the employer, is permitted only if:

  • the legitimate interests pursued by the employer are duly grounded and prevail over the interests or rights and freedoms of data subject;
  • the employer has fully informed the employees in advance;
  • the employer previously consulted the trade union, or the representatives of the employees;
  • other less intrusive means for achieving the purpose proved to be inefficient previously; and
  • the period for storage of personal data is proportional to the purpose of processing, but is no longer than 30 days (except in certain specific situations).

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

Romanian labour laws impose sanctions against employers who breach their employees’ right to dignity and their legitimate interests.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

There are no other material derogations.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

Yes, the Romanian DPA has issued three fines to date.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:

  • guidelines regarding the implementation of the GDPR (see here); and
  • guidance relating to DPOs (see here).

———

[back to top of page]

 

 

Buzescu Ca contributors

Adrian Tomescu

Adrian Tomescu
Partner, Buzescu Ca
T +40 21 222 4422
E atomescu@buzescu.com

Adrian’s major areas of expertise include dispute resolution, litigation state aid and competition damages litigation, intellectual property, data protection, project finance, competition and tax.

He advises various clients on major acquisitions, real estate and restructurings. Adrian coordinates the Buzescu Ca teams representing various clients in tax, drug patent, TMT and real estate complex disputes. He assisted clients regarding all the steps for the implementation of the GDPR, including personal data mapping, data protection impact assessment, preparing the data protection policies and reporting of data breaches to the DPA.

Adrian graduated from Bucharest University School of Law, and is a member of the Bucharest Bar. He also received a Masters degree in Business Law from Nicolae Titulescu Law School, and a Masters degree in Real Estate Economics from the Bucharest Academy of Economics.

Corina Papuzu

Corina Papuzu
Senior Associate, Buzescu Ca
T +40 21 222 4422
E cpapuzu@buzescu.com

Corina’s areas of expertise include data protection, TMT, energy, oil & gas, corporate/commercial, capital markets, employment and intellectual property.

She advises international clients on complex energy trading, and related reporting requirements, corporate, tax and employment matters. She has assisted clients with regard to various issues regarding the implementation of the GDPR, including personal data mapping, data protection impact assessment, drafting the relevant documents, including notices of information to data subjects, data protection policies, notification of personal data breaches to the relevant DPA and also with additional issues related to the GDPR such as data retention periods, drafting data transfer agreements and marketing communications.

Corina graduated from Bucharest University School of Law, and is a member of the Bucharest Bar. She also received a Masters degree in International Private Law at Bucharest University School of Law.

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top