On 26 March 2012, Decision no. 23 issued by the Romanian Supervisory Authority for Personal Data Processing (“DPA”) came into force (the “Decision”).
It regulates the cases in which notification for personal data processing is no longer necessary. It was made by the DPA after concluding that certain types of personal data processing are unlikely, in the DPA’s opinion, to infringe the rights of data subjects. This Decision does not repeal or modify either of the two decisions previously issued by the DPA which also set forth several cases in which notification for such processing is not required (i.e. Decision no. 90/18.07.2006 and Decision no. 100/23.11.2007). To summarise, the DPA adds seven new situations to those already included in the above decisions.
Notification is no longer required if personal data processing is performed:
- By individuals or legal entities undertaking an independent activity, authorized by special legislation, when fulfilling their legal duties;
- For managing the database held by National Archives;
- By public and private entities for lending books, movies, artistic and other audio-visual works, and reproductions thereof;
- By courts of law for fulfilling their legal duties, others than those concerning the criminal law domain;
- By local public administration authorities, county level public administration authorities and Bucharest municipality public administration authorities for fulfilling their legal duties;
- For real estate brokerage;
- By political parties concerning their members, provided such data is not disclosed to third parties without the individual member’s consent.
Prior to this Decision, a simplified notification (i.e. only certain sections of the notification form are filled in) was required in situations referred to at points 1-6 above, as per the DPA’s decision no. 91/18.07.2006 on simplified notifications.
Currently, a simplified notification is only required if personal data processing is performed:
- By public and private education institutions for managing student databases, and financial and administrative databases; or
- By public and private entities for providing gas, electricity, water and sewage services based on agreements concluded with their customers.
Note that in theory, this exemption from the notification obligation does not impact on data controllers’ obligation to observe all other personal data protection rules (e.g. good-faith processing of individuals’ personal data, no transfer of such data without individuals’ prior consent, security measures, etc.). In practice however, it is likely that such rules are frequently broken, including by public authorities. Thus, by increasing the circumstances in which notification is not required, the DPA is likely to be faced with increasing abusive use of personal data.