What does this cover?
Following the adoption of the Romanian Data Protection Authority's (the RDPA) Decision No. 200/2015 (the Decision) on 14 December 2015, the RDPA has recently issued a guide for explaining the manner in which the notification forms should be completed (the Guide), having in mind the changes brought by the Decision.
The Decision sets forth the rule under which data controllers do not have the obligation to notify the data protection authority with respect to the processing of personal data which they carry out. There are exceptions to this rule when particular categories of personal data are being processed and the newly issued Guide provides the following examples of situations in which notification is required:
a) processing of personal data related to racial or ethnic origin, political, religious, philosophical or similar beliefs, personal data related to trade union membership, as well as health data and data related to sex life (e.g. polls and market research, collecting donations for disabled persons);
b) processing of genetic and biometric data (e.g. scientific research);
c) processing of personal data which directly or indirectly allows the geographical localisation of natural persons through electronic means (e.g. monitoring or security of persons and/or public or private goods through GPS);
d) processing of personal data carried out by private entities regarding the perpetration of criminal offences by the data subject or criminal convictions, safety measures or administrative sanctions applied to the data subject (e.g. filing systems, such as those of credit offices);
e) processing of personal data through electronic means for the purpose of monitoring and/or evaluating certain personality aspects, such as professional competences, credibility and behaviour, etc. (e.g. creating and using the profiles of data subjects in order to send newsletters, monitoring employees' activity on the internet and whistle blowing);
f) processing of personal data by private entities through electronic means in filing systems for the purpose of automated decision making regarding the analysis of solvency, or the economic/financial circumstances, or facts used to ascertain disciplinary, administrative or criminal liability of natural persons (e.g. credit reports);
g) processing of minors' personal data carried out in a direct marketing context;
h) processing of minors' personal data carried out through the internet or through electronic messaging (e.g. publishing school results or extracurricular competitions and publishing images taken during extracurricular activities); and
i) processing of personal data of the categories discussed at (a) above carried out by associations, foundations or any other non-profit organisations in relation to its own members, for the purpose of fulfilling the organisations' specific activity, insofar the personal data are disclosed to third parties without the consent of the data subjects.
To view Decision No. 200/2015 of the Romanian Data Protection Authority, please click here (Romanian).
To view the Guide issued by the Romanian Data Protection Authority, please click here (Romanian).
What action could be taken to manage risks that may arise from this development?
Organisations with Romanian entities are advised to adhere to the notification requirements to the RDPA in accordance with the Guide.
Article submitted by Lurie Cojocaru – Nestor Nestor Diculescu Kingston Petersen – Bucharest, Romania, in partnership with DAC Beachcroft LLP.