September 2017 – The Romanian government has published for public debate draft legislation intended to implement the mandatory provisions of the EU’s General Data Protection Regulation (GDPR) into local legislation (the "Draft Law").

The Draft Law focuses on the following main points: (a) the independence and powers of the Romanian Data Protection Authority (the "Romanian DPA"); (b) the procedural steps to be taken during investigations and the method of cooperation during cross-border investigations; (c) the sanctioning of data protection legislation breaches; (d) and the procedure for complaints filed by data subjects with the Romanian DPA. Further, the Draft Law, if approved in its current wording, would repeal Romania data protection law no. 677/2001 without providing additional details in relation to existing secondary legislation.

Below we outline several changes to current legislation proposed by the Draft Law that are relevant for data controllers and data processors.

A. Independence of the Romanian DPA

The independence of the Romanian DPA is emphasised in the Draft Law by the manner in which the president of the Romanian DPA may be revoked and by the specific provision that the Romanian DPA cannot be influenced by or receive instructions from another public authority or entity.

B. Performing investigations

Data to be reviewed: The Romanian DPA is granted additional powers in terms of the data it can obtain and analyse during investigations. Thus, the Romanian DPA can: (i) access and analyse any equipment, storage device and (ii) take and record statements from any relevant individual.

Cross-border investigations: In the event of cross-border investigations, personnel of a foreign data protection authority may conduct investigations, based on the powers granted thereto by the president of the Romanian DPA.

C. Limitations for applying sanctions

Statute of limitation: The Draft Law provides for a general statute of limitation of three years since the perpetration of the administrative offence for applying sanctions (and a maximum of four years in case investigative steps were taken during this three-year period). Nevertheless, for administrative sanctions perpetrated in a continuous manner the statute of limitation is calculated from the most recent administrative offence perpetrated.

Role of the president of the Romanian DPA: Generally, the inspectors of the Romanian DPA have powers to apply sanctions. However, certain more severe types of sanctions (e.g. a fine above EUR 300,000) can be applied only by the president of the Romanian DPA.

D. Handling complaints filed by data subjects with the Romanian DPA

The Draft Law provides certain deadlines for the Romanian DPA to provide information on the steps taken for complaints submitted by data subjects.

Under the current wording of the Draft Law, the Romanian DPA (i) shall respond within 30 days from the date such a complaint is filed regarding the admissibility of the complaint and (ii) shall provide information to the data subject on the progress of analysing the complaint within three months from the filing of the complaint.