On 28 December 2015, Romanian Data Protection Authority (RDPA) decision No. 200/2015 on the processing of individuals’ personal data without prior RDPA notification (the "Decision"), came into effect.
The Decision simplifies the cases where individuals’ personal data can be either processed or transferred abroad, without prior notification submitted by a data operator to the RDPA. Thus, the Decision will likely favour operators in their endeavour to freely process or transfer abroad individuals’ personal data.
In enacting the Decision, the RDPA effectively repealed certain of its previous decisions. According to the preamble of the Decision, the RDPA is authorized to enact simplified secondary legislation and to subsequently control any processing or transfer of individuals’ personal data.
However, based on the Romanian Law No. 677/2001 on individuals’ personal data processing (the"2001 Law"), the RDPA’s right to enact secondary legislation is allowed only under certain strict terms, such as the guarantee that individuals personal data processing, or transfer abroad, when simplified, should not harm such individuals rights.
From this perspective, the Decision may be seen as harming individuals’ privacy rights, as it fails to substantiate the strict terms that were necessary for allowing its enactment, especially when without prior notice to the RDPA, the scope, recipients and duration of the data processing or transfer would be unknown to RDPA, when an operator performs such data processing, or transfer.
Additionally, the Decision is expected to stir debates among data protection scholars and practitioners, as the requirement for operators to notify RDPA, prior to processing individuals’ personal data or transferring it abroad, is at the core of the 2001 Law.
In light of the apparent conflict between the Decision’s provisions and the provisions of the 2001 Law, it may be expected that, in the future, the RDPA will amend the Decision, aligning it with the 2001 Law.