Just before the summer holiday, the Romanian Data Protection Authority caused intense tumult by imposing the first three data protection sanctions against Romanian companies based on the GDPR. Subject to these fines were a bank (UniCredit, €130,000), a hotel (World Trade Center Bucharest, €15,000) and a consultancy company (Legal Company & Tax Hub SRL, €3,000), which was, ironically, offering advice on data protection issues.

The reason for the above mentioned sanctions was, again, the security of data processing, topic already analysed in an older article on Data Protection Authority instructions.

Below are some thoughts that should be carefully considered by each and every data controller.

Reporting and notifying infringements of data protection rights to the authorities

Infringements of data protection must be reported by controllers to enable the assessment of the impact by the Data Protection Authority. Natural persons affected by such infringements can also notify the authority.

Controllers must report infringements of the protection of personal data to the competent authority within a maximum of 72 hours and using an online notification form. These notifications must be signed digitally; hence controllers with no electronic signature have no possibility to report any infringements.

Natural persons can report infringements of their personal data in Romanian or English. The controller must be informed about the infringement before, and the infringement must not already have been remedied. The report can be submitted online or on paper, personally or by a duly authorised person.

Practical examples of publishing personal data

One of the principles governing data processing is that of responsibility: each and every controller must be able to prove the lawful processing of data. As opposed to tax audits, the authorities don’t prove existing infringements but act preventatively and sanction the controller if he doesn’t provide proof of lawful data processing.     

The instructions provide practical examples that apply to both private and professional life. In the private sector, a property owners’ association (Ro. asociatie de proprietari) may publish personal data, such as outstanding payments for the utilities, or process video recordings if certain strict requirements for secure processing and data minimisation are met.

Likewise, public authorities may publish information about candidates for public positions only if express consent was granted, or if a legal disposition obliges the authority to such publication. Public authorities are positively discriminated against private companies, according to Romanian legislation differing to the GDPR, since (i) before a fine can be imposed, they can remedy the infringement within a maximum of 3 months, and (ii) they are threatened with much lower sanctions (maximum 200,000 RON), as opposed to the GDPR maximum of €20 million or up to 4% of the total global turnover for the previous financial year).

Special personal data

Sensitive data, as stated in older legislation (such as personal ID number, ID card series and number, passport number) may only be processed in certain situations and under observance of additional provisions. In practice, natural persons share their personal ID number (Ro. cod numeric personal) without concern in many situations, and controllers frequently demand these details, without thinking too much about it. The sanction imposed on UniCredit will probably encourage all controllers to verify whether all requested information is really necessary.

Conclusion and future prospects

The sanctions imposed in the past months have caused some alarms to go off. We assume that companies from the private sector will think more carefully about their data protection policy, and will carefully study the instructions of the Data Protection Authorities in the light of the GDPR. It remains to be seen to what extent this deterrent effect will contribute to data processing being in line with EU standards, or if it is only a short term fuss.