The Romanian Data Protection Authority (the "RDPA") has recently announced that it will no longer register processing and transfers of personal data to US entities on the basis of Safe Harbour principles. The announcement was made following the Court of Justice of the European Union’s October ruling that the Safe Harbour Decision no longer constitutes adequate legal grounds for data transfers to the United States.
Consequently, as of the date of the CJEU ruling, transfers of personal data to the United States may be performed only on the basis of other safeguards provided by law, such as model clauses or Binding Corporate Rules or, alternatively, on the basis of other specific exceptions provided by law (e.g. when the data subject has given express consent to the transfer; when the transfer is necessary for the performance of a contract between the data subject and the data controller; when the transfer is necessary for the conclusion or performance of a contract, in the interest of the data subject, between the data controller and a third party; when the transfer is required to satisfy a major public interest or for exercising or defending rights in judicial process; or when the transfer is necessary to protect the life, integrity or health of the data subject etc).
Transfers of data abroad to non EU/EEA countries (and to other countries where the RDPA has not recognized an adequate level of protection) require prior authorization from the RDPA. The RDPA further indicated that entities whose processing activities have already been registered in the RDPA’s Registry may continue to transfer data to the United States only on the basis of the above safeguards.