Romania creates the premises for a friendly IT economy, enabling IT providers to make use of advanced technologies to process aggregate data for different purposes (e.g. statistics, analytic and research services).
In essence, the use of advanced technologies for collecting and processing aggregate data does not trigger particular authorizations or licenses. However, there may be limited circumstances where specific regulatory matters must be complied with (such as for ”dual-use items”). In the scenario where FinTechs advanced technologies entail the processing of ”personal data”, the Romanian regulatory framework on personal data protection should be complied with. On the contrary, where the processing covers only ”anonymized data”, the above mentioned regulatory framework does not apply. The concept of ”personal data” and ”anonymised data” are broadly defined by the Romanian data protection legislation. The assessment of whether the data allow identification of an individual, and whether the information can be considered as anonymous or not depends on the factual circumstances, and a case-by-case analysis should be carried out.
The main obligations in relation to the personal data processing are as follows:
- prior information of the data subjects by providing specific information notices to the data subjects on the data processing carried out by the controller;
- finding legitimate grounds for the data processing by the controller;
- the data processing must observe the ”proportionality principle” (i.e. the data processed must be adequate, relevant and not excessive by reference to the purposes for which they are collected and/or further processed);
- implementation of adequate technical and security measures by both the controller and the processor for data protection against unlawful and/or unauthorized processing;
- notification of the National Supervisory Authority for Personal Data Processing.
However, the obligation to notify such authority applies only with respect to data processing qualified by the authority as triggering potential risks for the fundamental rights of the data subjects and as listed in the Romanian Decision No. 200/2015. The notification requirement is incumbent on the controller. Starting with 25 May 2018, a new regulatory framework will become applicable in Romania by way of EU General Data Protection Regulation no. 2016/679 („GDPR”). The GDPR includes and enhances the privacy requirements in the current Romanian legislation and also introduces new obligations incumbent on data controllers. For the scenarios where FinTechs acts as a data controller or joint controller, it will have to consider, among others: the principles relating to processing of personal data, according to which data must be: (i) processed lawfully, fairly and in a transparent manner in relation to the data subject; (ii) collected for specified, explicit and legitimate purposes; (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (iv) accurate and, where necessary, kept up to date etc.; providing the data subjects with information notices relating to their data processing „in a concise, transparent, intelligible and easily accessible form, using clear and plain language”; also, any communication from FinTechs to the data subjects regarding their rights with respect to the processing should observe the same rule; proving a legitimate interest for the processing or obtaining the data subject’s written consent. Among others, FinTechs may be required to conduct a data privacy impact assessment in case the processing by using new technologies is likely to result in a high risk to the rights and freedoms of the data subjects. Further, if such assessment indicates that the processing would result in a high risk in the absence of measures taken by FinTechs to mitigate the risk, FinTechs shall consult the Romanian Data Protection Authority (in line with GDPR requirements).
We have not identified relevant public official statistics regarding how big is the market for data and risk management or analytic and research services as measured by revenues and customers and what are the biggest companies according to their market shares in this business area.However certain statistics regarding fintech technologies were provided by the National Bank of Romania in the last chapter of the Financial Stability Report as of December 2017.