What does this cover?

In the context of the current difficulties faced by the Romanian Data Protection Authority (RDPA) in respect of the increasing number of notifications filed with it and the insufficient number of RDPA personnel to process such notifications, on 19 November 2015 the RDPA issued a draft decision stating that, as a rule, data controllers do not have to file notifications (Draft) subject to some exceptions.

The Draft sets out examples when the notifications still have to be filed which include, amongst others: (i) processing of genetic and biometrical data; (ii) processing of minors' personal data for direct marketing activities; and (iii) processing of personal data which allows direct or indirect geographical localisation of natural persons through electronic communication means.

Moreover, the Draft states that the notification is necessary for all processing in cases of personal data being transferred outside of the EU/EEA to countries which are not recognised as ensuring an adequate level of protection.

The Draft also expressly indicates the situations when the RDPA will undergo preliminary controls (under the previous law this was just subject to the discretion of the RDPA).

The Draft intends to repeal the RDPA decisions currently in force which provide exceptions to the notification obligation. However, the Draft stresses that the other pieces of legislation which provide the notification obligation are not affected by its entry into force (e.g. the RDPA decision which imposes the obligation of data controllers to notify the video surveillance remains in force).

What action could be taken to manage risks that may arise from this development?

Financial services companies should ascertain whether or not the notification exemptions will apply to their operations.

Submitted by Iurie Cojocaru of Nestor Nestor Diculescu Kingston Petersen – Bucharest, Romania in partnership with DAC Beachcroft.