Tuca Zbarcea & Asociatii

 

What law(s) specifically govern personal data / information?

Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)

The principal data protection legislation in Romania (and the EU) is the GDPR, which replaced Directive 95/46/EC (“Data Protection Directive”). The GDPR intends to increase the harmonisation of data protection law across the EU Member States.

  • Primary legislation:
    • Law No. 190/2018 on the Implementation of the GDPR (the “Privacy Law”).
    • Law No. 102/2005 on the establishment, organisation and functioning of the National Supervisory Authority (the “ANSPDCP Law”).
    • Law No. 129/2018 for the amendment and supplementation of Law No. 102/2005 on the establishment, organisation and functioning of the National Supervisory Authority for the Processing of Personal Data (ANSPDCP), as well as for the repeal of Law No. 677/2001 on the Protection of Persons with Regard to the Processing of Personal Data and the Free Movement of Such Data.
    • Law No. 362/2018 on the security of network and information systems / NIS Directive (“NIS Law”).
    • Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Law).
    • Law No. 363/2018 on the processing of personal data by the competent authorities for the prevention, detection, investigation, prosecution and control of criminal offences or the execution of sanctions, education and measures.
  • Secondary legislation:
    • National Authority for the processing of personal data (“ANSPDCP”) Decision No. 128/2018 on the Approval of the Form of the Notification of a Personal Data Breach in accordance with the GDPR;
    • ANSPDCP Decision No. 133/2018 on the Approval of the Procedure for Receiving and Handling Complaints; and
    • ANSPDCP Decision No. 161/2018 on the approval of the Investigation Procedure by the National Supervisory Authority.
    • ANSPDCP Decision No. 174/2018 on the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment.
    • Methodological Norms implementing Law No. 362/2018.

 

What are the key data protection principles in this jurisdiction?:

  • Lawful basis for processing
  • The GDPR provides an exhaustive list of legal bases on which personal data may be processed:

    • consent of the data subject for one or more specific purposes;
    • contractual necessity;
    • compliance with a legal obligation of the controller to perform the relevant processing;
    • protection of the vital interests of the data subject or of another natural person;
    • performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
    • legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).

    The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:

    • explicit consent of the affected data subject;
    • the processing is necessary in the context of employment or social security law; or
    • the processing is necessary for the establishment, exercise or defence of legal claims.
  • Transparency
  • Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

  • Purpose limitation
  • Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

  • Data minimisation
  • The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

  • Accuracy
  • Personal data must be accurate and, where necessary, kept up to date.

  • Storage limitation
  • Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.

  • Integrity and confidentiality
  • Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

  • Accountability
  • The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.

 

What is the supervisory authority / regulator in charge of data protection?

The regulator entrusted with overall competence in the data privacy field, including investigation powers, is the ANSPDCP.

 

Is there a requirement to register with a supervisory authority / regulator?

No specific national requirements currently exist in respect to registration or mandatory payment of a fee for supervision undertaken by ANSPDCP.

 

Is there a requirement to notify the supervisory authority / regulator?

No specific national requirements exist in this respect. GDPR rules apply accordingly, such as the duty to notify the personal data breaches as per Article 33 GDPR.

 

Is it possible to register with / notify the supervisory authority / regulator online?

N/A

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to information

Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.

Right of access

A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.

Additionally, the data subject may request a copy of the personal data being processed.

Right to rectification of errors

Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.

Right to deletion/right to be forgotten

Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.

Right to restriction of processing

Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.

Right to data portability

Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).

Right to object to processing

Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.

Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.

Right to withdraw consent

A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.

Right to complain to the relevant data protection authority(ies)

Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.

Right not to be subject to automated individual decision-making

Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).

This is a summary only and there are some qualifications and limitations to these rights which may be relevant.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Under the GDPR (Articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:

  • are a public authority or body (except for courts acting in their judicial capacity);
  • whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.

The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Pursuant to Article 35 GDPR the controller is obliged – prior to the processing – to carry out a data protection impact assessment, where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

According to ANSPDCP’s Decision No. 174/ 2018 (available to download in English here ), the data protection impact assessment is mandatory in the following cases:

  • the processing of personal data is undertaken in order to perform a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or of personal data relating to criminal convictions and offences;
  • the processing of personal data having as purpose the systematic monitoring of a publicly accessible area on a large scale, such as: video surveillance in shopping centres, stadiums, markets, parks or other such spaces;
  • processing on a large scale of personal data of vulnerable persons, especially children and employees, through automatic means of systematic monitoring and/or recording of behaviour, including in order to carry out advertising, marketing and publicity activities;
  • processing on a large scale of personal data through the innovative use or the implementation of new technologies, especially if the respective operations limit the ability of the data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces;
  • processing on a large scale of data generated by devices with sensors that transmit data over the Internet or other means (“IoT” applications, such as smart TVs, connected vehicles, smart meters, smart toys, smart cities or other such applications);
  • processing on a large scale and/or systematic of traffic and/or location data of natural persons (such as Wi-Fi monitoring, processing of geo-location data of passengers in public transport or other such situations) when processing is not necessary to provide a service requested by the data subject.

By exception, the data protection impact assessment shall not be mandatory when the processing carried out under Article 6 paragraph (1) letter (c) or (e) of the GDPR has a legal basis in Union law or in the national law and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of the respective normative acts.

 

Does this jurisdiction have any specific data breach notification requirements?

The controller is obliged to report a personal data breach to the relevant data protection authority, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject(s). Furthermore, the controller is obliged to communicate the breach to the data subject, if the breach is likely to result in a high risk to the rights and freedoms of the natural persons. If the controller is obliged to report a personal data breach to the competent authority or/and the data subject, it shall contact them in both cases without undue delay (and in case of the notification to the authority within 72 hours of first becoming aware of the breach).

Specific rules also apply in respect of particular industries. For instance, in case of Telecom services providers (as per E-Privacy Law), all the security breaches must be notified immediately to the ANSPDCP, irrespective of the potential to cause risk. Moreover, any security breach having the potential to cause a risk to data subjects (irrespective if such is high or not) must be notified to the relevant impacted individuals.

The requirements for such notification are set out in the E-Privacy Law and further supplemented by the provision of Commission Regulation (EU) 611/2013 of 24 June 2013 on the Measures Applicable to the Notification of Personal Data Breaches under the ePrivacy Directive, which sets out additional details of the ePrivacy Directive's (2002/58/EC) data breach notification requirements.

Also, essential services operators/digital services providers falling under the ambit of Law 362/2018 must also notify the security breaches affecting the essential services provided immediately to the competent national NIS authority (DNSC).

The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification ).

 

What restrictions apply to the international transfer of personal data / information?

Except as required under the GDPR (see below) and in strategic fields (e.g., national defense, public services, pensions sector, etc.), there are no general prohibitions on the transfer abroad of personal data.

Under the GDPR, international data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR:

The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea; Switzerland; and Uruguay. The United Kingdom has been recognised by the EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.

For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:

  • The transfer may be based on Standard Contractual Clauses (“SCCs”), drafted by the EU Commission. The SCCs which took effect from 27 June 2021, are available for the following transfers:
    • Module 1: controller to controller
    • Module 2: controller to processor
    • Module 3: processor to processor
    • Module 4: processor to controller
  • The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
  • The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
  • The transfer is covered by one of the permitted derogations set out in Article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

With regard to its geographic scope, the GDPR combines the principles of establishment, market place and territoriality.

Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.

Pursuant to the principle of the market place, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).

 

What rules specifically deal with marketing?

According to the E-Privacy Law:

  • Commercial communications shall be prohibited when using automatic calls and communication systems which do not require the intervention of a human operator, by fax or e-mail or by any other method using electronic communications services intended for the public, unless the subscriber or user concerned has previously given their express consent to receive such communications.
  • By exception, if the controller (natural or legal person) directly obtains the electronic mail address of a customer, on the occasion of the sale to them of a product or service, the controller may use that address for the purpose of making commercial communications (i.e., via e-mail or SMS) concerning similar products or services which that person markets, provided that it clearly and expressly offers customers the opportunity to object by a simple and free means of such use, both when obtaining the electronic mail address and on the occasion of each message, if the customer did not initially object.
  • In all cases, it is forbidden to make commercial communications by electronic mail (i.e., via e-mail or SMS) in which the real identity of the person in whose name and on whose behalf they are made is hidden or in which a valid address is not specified to which the recipient can send their request regarding the cessation of such communications or in which the recipients are encouraged to visit internet pages that contravene art. 5 of Law No. 365/2002 on electronic commerce.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

The above-mentioned rules provided by the E-Privacy law apply.

 

What rules specifically deal with cookies?

According to the E-Privacy Law, the cookies placement is allowed only with the cumulative fulfilment of the following conditions:

  • the subscriber or user in question has given their consent;
  • the subscriber or user in question was provided, prior to giving the consent, with clear and complete information that:
    • must be displayed in easy-to-understand language and be easily accessible to the subscriber or user;
    • includes statements regarding the purpose of processing the information stored by the subscriber or user or the information to which they have access.

If the provider allows third parties to store or access information stored in the subscriber's or user's terminal equipment, the information in accordance with points (i) and (ii) will include the general purpose of the processing of this information by third parties and how the subscriber or user may use the settings of the internet browser or other similar technologies to delete the stored information or to deny third parties access to this information.

The consent mentioned above may also be given by using the settings of the Internet browsing application or other similar technologies through which it can be considered that the subscriber or user has expressed their agreement.

The above mentioned conditions do not apply for storing or technically accessing the information stored in the following cases:

  • when these operations are carried out exclusively for the purpose of transmitting a communication through an electronic communications network.
  • when these operations are strictly necessary in order to provide an information society service, expressly requested by the subscriber or user.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

  • Sanctioning regime under the ANSPDCP Law
  • The administrative sanctions that ANSPDCP may impose for an infringement of GDPR or national legislation are:

    • a warning; or
    • an administrative fine.

    These sanctions may be imposed by ANSPDCP within three years from the date when the infringement occurred. However, such a term will be interrupted if any legal proceeding has been carried out by the ANSPDCP, without exceeding a maximum term of four years.

    When the amount of the fine exceeds €300,000, the fine will be applied only through a decision of the Chairman of ANSPDCP.

    Corrective measures can be applied either by decisions of the ANSPDCP or by the minutes issued by the ANSDPCP's representatives.

    In the event of non-compliance with the measures ordered or in the case of a tacit or express refusal to provide all the information and documents requested in the investigation or in the case of a refusal to carry out the investigation, the ANSPDCP may impose by decision a fine up to RON 3,000 (approx. €640) for each day of delay, calculated from the date set by decision.

  • Sanctioning regime under Law No. 363/2018
  • The rules by which public authorities and bodies are sanctioned are different than any other entity. As such, any infringement of the GDPR or national legislation by public authorities and bodies will first be sanctioned with a warning and a remedy plan will be imposed by the ANSPDCP, which will also set a remedy term.

    If within ten days of the ending of the remedy term, the public authority or body fails to fulfil the measures set out in the remedy plan, then the ANSPDCP may impose pecuniary sanctions. Under the provisions of Law No. 363/2018, the competent authority may be granted an extension on the remedy term up to 30 days.

    Nonetheless, the administrative fines in such cases are capped at a maximum of RON 200,000 (approx. €43,000).

  • Sanctioning regime under the E-Privacy law
  • Failure to comply with the legal obligations provided in the E-Privacy law may be sanctioned with administrative fines from RON 5,000 to RON 100,000 (approx. from €1,100 to €22,000). In cases where companies have a turnover exceeding RON 5,000,000 (approx. €1,000,000), fines can amount to up to 2% of such turnover.

    By exception, failure to comply with the legal obligations regarding the processing of location data other than traffic data and regarding the subscriber’s registry (precisely concerning the data subject’s consent for processing) may be sanctioned with administrative fines from RON 30,000 to RON 100,000 (approx. from €6,000 to €20,000). In cases where companies have a turnover exceeding RON 5,000,000 (approx. €1,000,000), fines can amount up to 2% of such turnover.

  • Sanctioning under NIS Law
  • Failure to comply with the legal obligations provided under NIS Law may be sanctioned with administrative fines ranging from RON 3,000 to RON 100,000 (approx. from €600 to €20,000). In cases where the companies infringing the rules have a turnover exceeding RON 2,000,000 (approx. €400,000), fines can amount up to 5% such turnover.

  • Sanctions under the GDPR
  • The GDPR provides for a maximum penalty in the amount of the higher of EUR 20 million or 4% of worldwide turnover (Article 83 GDPR).

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Controllers and processors who are not established in the EEA are generally required under Article 27 GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.

Specific obligations in the employment field

According to the Privacy Law, the controller using monitoring systems by means of electronic communications and / or by means of video surveillance at the workplace based on its legitimate interest (Art. 6 (1) f of GDPR), is subject to the following requirements:

  • the legitimate interests pursued by such a controller acting as an employer must be justified and prevail over the interests or the rights and freedoms of the data subjects;
  • the employer must provide mandatory, complete and explicit prior information to employees;
  • the employer must consult the labour union or, as the case may be, the employees' representatives before the implementation of the monitoring system;
  • other less intrusive forms and ways of achieving the goal pursued by the employer must have not previously proved their effectiveness; and
  • the storage of personal data must be proportional to the purpose of processing, but not more than 30 days, except for situations expressly regulated by law or duly justified cases.

GDPR derogation

According with the Privacy Law, in order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which have been made manifestly public by the data subject or which are closely linked to the data subject's status as a public person or to the public nature of the facts in which the data subject is involved, by way of derogation from the Chapters II-VII and IX of the GDPR.

 

What upcoming data protection developments should multinational organisations be aware of?

N/A.

 

Search by:

Need more information?
Contact a member firm:
Dan Borbely
Tuca Zbarcea & Asociatii
Romania


Gabriel Zbarcea
Tuca Zbarcea & Asociatii
Romania