On 28th December 2015 the Romanian Data Protection Authority issued a Decision (Decision No.2000/2015) simplifying the process for permitting the transfer of personal data from Romania to other jurisdictions.

Romanian law No.677/2001 implements EU Data Protection Directive 95/46/EC and includes the usual restrictions on transfers of personal data from Romania to countries outside the European Economic Area that are neither approved countries by the European Commission for the receipt of personal data nor provide the adequate protection of the rights of individuals in respect of their personal data.

Whilst some EU Data Protection Authorities allow the use of approved EU Model Clauses without the need for prior approval of the data transfer agreement incorporating those Model Clauses, Romania has required prior approval.

The Decision referred to above appears to relax the requirement for prior approval although it has been suggested to us that this is at odds with the Romanian Data Protection Act itself since this Decision seeks to unilaterally amend the prime legislation and may not be within the power of the Romanian Data Protection Authority.

Needless to say where Model Clauses are being used by Data Controllers in Romania specific legal advice will be required.