It's finally here! About two months before the data protection regulation is due to come into force, there was a Draft Law, designed to substantiate the GDPR legislation allocated to the legislators of member states. It was firstly filed with the Romanian Senate, withdrawn and registered on 3rd April with the Chamber of Deputies. The Draft Law was initially open for public debate until 8th May. However, on 13th April, this term was shortened without any official notice and the public debate was closed on the same date. Hence no proposals/suggestions where registered. Meanwhile the Draft Law undergoes the approval procedure; on 19th April, the Economic and Social Council ("ESC") approved it with amendments. The below article does not exhaustively treat all amendments, but highlights the content of the Draft Law considering certain important modifications.
Although the GDPR as a European regulation is applied directly, without having to be adopted in national legislation, there are certain articles of the GDPR that require tailor-made solutions in national legislation. There are also some aspects that have been left open for each member state to make their own regulations. In this article we look at the important aspects of the Draft Law affecting companies' business activity, excepting the provisions related to sanctions.
Regulations on the processing of certain categories of personal data
The Draft Law defines the `National identification number' as the number under which a natural person is registered in key ID systems such as for ID cards, passports, driving licenses or health insurances. The ESC suggested to amend this definition and to include only the personal identification number and the social insurance number.
a. Biometric, genetic and health data
In contrast to the wording of the GDPR, the Romanian legislator has prohibited the processing of this data for the purpose of an automated decision-making process or profiling. This prohibition cannot be lifted even with the consent of the data subject. The ESC suggested to lift the prohibition if the consent of the data subject is available. An exception to this situation can only arise in case of processing carried out by or under the control of an authority, if the fulfillment of appropriate guarantees is required to ensure data protection for the data subject.
b. Personal identification number
The processing of a personal identification number, including collection or disclosure of the documents containing them, is subject to general legality conditions. For instance, data processing is possible in the following examples:
- consent of the data subject,
- performance of a contract,
- legal obligation of the controller,
- legitimate interest of the controller.
This situation implies a liberalization of the current legislation that has classified the personal identification number as a special category of personal data. So in our opinion, personal identification numbers that are not referred to in art. 9 of the GDPR become `simple' personal data.
In the case of processing national identification numbers out of legitimate interest, the legislator requests appropriate minimum guarantees. These are especially:
- appropriate technical and organizational measures,
- the appointment of a Data Protection Officer (DPO) according to art. 8 of the Draft Law,
- application of approved codes of conduct according to art. 40 of the GDPR and their observance (The ESC suggested to erase this guarantee and to replace it with an assessment regarding the need of processing and the implementation of the guarantees provided by such assessment),
- determining the duration of personal data storage based on the nature of the data and the scope of processing (The ESC suggested to delete the determination of the nature of the data),
- periodical training of staff who process personal data in the name of the controller or the processor.
The Draft Law seems to require a DPO in the case of processing personal identification numbers, which exceeds the wording of the GDPR. The `appropriate minimum guarantees' refer to art. 8 of the Draft Law, which refers to the provisions of the GDPR related to the DPO. One could infer, therefore, that the general dispositions apply to the appointment of a DPO, which would invalidate the above-mentioned disposition. Since, in Romania, it is common (and partially mandatory) for legal entities to process personal identification numbers, this Draft Law would introduce, through the back door, the obligation for (almost) all legal entities to appoint a DPO. We need further clarification from the legislator.
Data processing in the employment context
If the employer, out of legitimate interest, puts monitoring systems in place, in the workplace, via electronic communications or video surveillance, the following conditions must be met:
- the employer's legitimate interest must concern highly important and well-grounded activities, which prevail over the interest of the data subject,
- employees must be given prior complete and explicit information about the monitoring,
- the employer must consult the trade union or employees' representatives in advance (The ESC suggested only an information obligation of the employer),
- another less intrusive measure must have proved to be ineffective (The ESC suggested to delete this clause.),
- except for cases expressly provided by the law, or well justified cases, the duration of data storage must be proportionate to the purpose of the processing but not longer than 30 days (The ESC suggested the deletion of the 30-days term.).
In this context, documentation of processing activity records plays a decisive role. It functions as evidence of the employer`s legitimate interest overriding the rights and liberties of the employee, as well as to justify the storage period.
Employers must also document the written evidence that employees had been informed and had a full understanding, before processing.
For the employer, a rather problematic issue is that he is supposed to have exhausted all appropriate, less intrusive means and prove them to be ineffective (not only less effective) before implementing monitoring by electronic communications or video surveillance. So it is not the proportionality between the different means that is checked: if the employer has other means at his disposal, he must use them first, even if the result is less effective than electronic communications or video surveillance. This can definitely lead to disproportional results, and have cost implications.
The legislator provides a few exceptions, such as:
- Processing for journalistic purposes or for the purpose of scientific, artistic or literary expression of opinion:
To ensure a balance between data protection, freedom of expression, and information, such processing can only occur when it concerns personal data published by the data subject or if it's strongly correlated with the position of a public figure or with the public nature of the activity of the data subject. Apart from certain exceptions (general provisions, remedies, liability and penalties), the application of all essential chapters of the GDPR is excluded.
- Processing for scientific or historical research purposes, for statistical or archiving purposes in the public interest:
In this case, the rights of the persons involved regarding:
- restriction of the processing,
are inapplicable if these rights could lead to making impossible or to complicate significantly the achievement of the above-mentioned purposes.
Despite the legal exception, a justification will be required of the controller to be able to make exemptions from the applicability of these rights.
The same also applies to processing for archive purposes in the public interest although in this case, the application of the obligation to notify, and of the right to data portability, is excluded.
For all the above mentioned exceptions, appropriate safeguards must also be in place.
Data Protection Officer (DPO)
The regulation regarding the Data Protection Officer contains a reference to the GDPR. The Draft Law also regulates the possibility of several authorities sharing a DPO.
Accreditation from certification authorities
The accreditation of certification authorities, i.e. authorities issuing or extending certifications and deciding on an appropriate level of expertise, will be taken over by the Romanian Accreditation Association (RENAR) as the national accreditation body. The accreditation of certification bodies will take place according to EN-ISO/IEC 17065, along with any additional requirements established by the supervisory authority. The ESC states that the certifications of other accredited authorities of EU member state should be also recognized.
The only certainty is that the Draft Law provides confusion. It is unclear, for example, why the legislator has completely prohibited profiling in cases of health data. Cases could be considered in which the regulation is not required because the GDPR already offers enough protection.
If the legislator wants to impose a DPO for all legal entities, how from a practical viewpoint will so many data protection experts be found?
Apart from that, the Draft Law is a (more or less inaccurate) translation of the GDPR.
Despite the acceleration by the Chamber of Deputies, the legislative procedure is still long. It is questionable if the law will come into force by 25th May 2018.