In September 2017, the Romanian Data Protection Authority (RDPA) took its first small steps towards the application of the EU’s General Data Protection Regulations (GDPR). These are considered insufficient and more actions are expected. Please find hereinafter a short summary of the main relevant actions taken so far in Romania.
On 5th September, on the website of the Romanian Ministry for Internal Affairs, a draft law (Draft Law) was published for debate, and all legal practitioners were anxious to have a look at the long-awaited draft which will replace the current Romanian Data Protection Law1.
The Draft Law is focused exclusively on the organisation and functioning of the RDPA. It certainly includes some important amendments especially with regard to the GDPR and its mandatory provisions to be implemented by the EU Member States; but it is a long way from the detailed guidelines or other national provisions that other member states have published to date.
The main amendments of the Draft Law refer to the following topics:
- Independence of the RDPA
Although the reason is not clear, the Draft Law equates RDPA officers with public officers of the Parliament, which have a more privileged status than ‘simple’ public officers. The Draft Law sets out the independence of the RDPA and the RDPA President.
- Powers of the RDPA president
Among others, the President of the RDPA shall monitor the application of the GDPR and of directive (EU) 2016/680 and ensure participation in the European Data Protection Board.
- Investigative powers of the RDPA
This is important, although at the moment the RDPA does not have the resources to comply with these GDPR requirements. The GDPR’s investigative powers give the RDPA access to all personal data and information and to any premises of the controller and processor, as well as the right to request any information relevant to the investigation. The RDPA may also ask for expert opinions, and organise hearings. To be able to fulfil its duties, the RDPA will increase its personnel from 50 officers to 85.
- Corrective powers of the RDPA
This is the prime concern of most legal entities (both processors and controllers), and there is an incentive to comply with the GDPR before the 25th May 2018 deadline. As high fines may be imposed, the topic of privacy will undoubtedly become a priority to most legal entities, and the development will be similar to that of the Romanian Competition Legislation and the Romanian Competition Council. The main sanctions imposed by the RDPA are reprimands and administrative fines. The RDPA may also impose warnings.
- Determination of a breach
The RDPA officers will determine a breach in a protocol unless the administrative fine exceeds the RON equivalent of €300,000, in which case the breach must be determined by decision of the President of the RDPA.
The controller and/or processor under investigation may enter an objection within 15 days after communication of the protocol respectively of the decision. If no objection is filed within 15 days, the protocol respectively the decision becomes an executory title.
The administrative fine becomes due within 15 days after the delivery of the protocol respectively the decision.
- Statute of limitation
The sanctions may be imposed up to 3 years after the breach. The term is interrupted by the start of an investigation procedure, but even so the statute of limitation shall not exceed 4 years from the breach.
- Administrative fine for failure to provide information
The RDPA has a tool to exert pressure on the subjects under investigation. It may impose an administrative fine of up to RON 3,000 per day of delay if measures are not taken, or requested information and documents are not made available to the RDPA.
Any data subject may complain to the RDPA, according to a procedure to be stipulated by the President of the RDPA. The RDPA must, within 30 days, inform the data subject whether its complaint is admissible.
- Legal active capacity of the RDPA (right to sue)
Another important tool of the RDPA is the right to claim if the RDPA considers that a breach of any guaranteed rights has occurred. If so, the data subject becomes the legal plaintiff, but if the data subject does not commit to such a claim, the competent law court will annul the application.
Many EU Member States are one step beyond, as they already gathered their data protection experts a while ago, held conferences to prepare for the GDPR and created guidelines for all stakeholders on the upcoming major changes in data protection legislation. Unfortunately, the RDPA has had a different approach. Its guidelines were published on its website only on 21st September 2017. The document is called “Indicative guidelines for the application of the GDPR for controllers” (Guidelines).
These Guidelines are a good summary of the GDPR and its implications for data processors, but unfortunately do not add much value for their application in Romania. With the exception of three recommendations, the document mainly copies those of the GDPR and sometimes refers to the GDPR brochure issued a few months ago – another compilation of some major changes made by the GDPR.
The recommendations refer to
- the appointment of a data protection officer even if it is not mandatory (hence where the legal entity does not fulfil the conditions according to Art. 37 GDPR),
- doing an impact assessment – this includes (i) a guarantee in respect of private life, (ii) an estimation of the impact on private life and (iii) evidence of the compliance with fundamental principles of the GDPR,
- the obligations of the controller to draft and implement internal procedures guaranteeing compliance with data protection rules (by applying privacy by design and by default according to art. 25 GDPR).
Although the Draft Law and the Guidelines were very welcome, we still hope that the RDPA will take a more active role in the application of the GDPR, and that the data protection authority will involve stakeholders and privacy experts in the continued creation of detailed guidelines to be ready before 25th May 2018.