As shown in Part 1 of our report, the Romanian act for the concretisation of the GDPR[1] came into force on 31.July 2018, and therefore with a delay. In comparison to the provisions of other EU member states, the Romanian Law 190 was kept short. It has been discussed controversially even before its adoption. The Romanian legislator has hardly made use of the European opening clauses for clarifying data processing, but rather established exceptions for public authorities, political parties, etc.   

Obligation to appoint a Data Protection Officer (DPO) 

Romanian companies most frequently ask to what extent they are compelled to appoint a DPO. This question has still not been clarified by Law 190, as the act only makes general reference to the GDPR. In principle, art. 37 of the GDPR provides that a DPO must be appointed if the core activity of the company concerned consists of:    

  1. processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  2. processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.    

As it can be assumed that the core activity of most companies does not imply processing special categories of data or criminal convictions, in most cases, the first category has to be verified.

Neither the GDPR nor Law 190 contain clear interpretation of “monitoring on a large scale”, so it is still unclear in which cases data processing is made “on a large scale”. For instance, there are opinions according to which the processing meets the criteria when a considerable amount of personal data is processed at a regional, national and supranational level, and a large number of data subjects may be affected[2]. In our opinion, this does not include processing the data of a company’s own employees (regardless of their number).

If there is an obligation to appoint a DPO, the data protection authority must be notified thereof by completing a form[3]. Company groups can appoint a mutual group officer. However, in the past few months, practice has shown that the Romanian data protection authority does not welcome the appointment of foreign DPOs due to potential communication complications with persons which do not speak the official language.  

Even if most companies are not technically obliged to appoint a DPO, in our opinion it is advisable to appoint a person which is responsible for data protection, without officially notifying the data protection authority.

Different sanctions for public authorities

According to Law 190, the sanctions for violations of data protection legislation by private persons are harsher than for the ones committed by public authorities.

On the one hand, the Romanian Law clearly provides milder sanctions for public authorities (maximum 200,000 RON, representing about €43,000) in comparison to the GDPR (maximum €20 million or up to 4% of the total worldwide turnover of the previous financial year). On the other hand, only public authorities are given the chance to redress data protection violations within an agreed period of time (maximum 3 months). These regulations may be seen as an indicator for the fact that public authorities are still far from complying with the GDPR. It remains an open question whether these regulations will turn out to be fully compliant with EU legislation.        


Law 190 slightly differs from the draft law already described in our previous articles. While the clarifications regarding the processing of biometric data and the personal identification number are welcome, regulations such as the potential positive discrimination of political parties, civil organisations of national minorities or non-governmental organisations are controversial. Especially, it is debatable to which extent the special treatment of public authorities, which benefit from reduced sanctions and a grace period for implementing a redress plan, is justified.