A draft legislation laying down measures in relation to the GDPR (the “Draft Law”) has just been put forward for discussion in the Romanian Parliament.
Aside for specific requirements for public entities and for activities involving activities such as research or journalism, the Draft Law focuses on the following main points:
(i) Additional requirements for national identifiers
According to the Draft Law, a national identifier is “that specific number which has a general application and identifies a natural person in certain record systems”. Expressly mentioned examples include: (i) the personal identification number, (ii) the passport number, (iii) the driver license number and (iv) the national health insurance number.
If national identifiers are used on the legitimate interest basis, the following guarantees have to be implemented:
- data minimization and technical security and confidentiality measures;
- having a data protection officer;
- adhering to a code of conduct approved as per the GDPR;
- reduction of retention periods to the minimum necessary; and
- periodical training of persons handling such data.
(ii) Additional requirements for processing genetic data, biometric data and data concerning health
The processing of genetic data, biometric data and data concerning health for automated decision-making or profiling is prohibited (even if the individual expressly consent to such data processing). Specific exemptions are provided for processing performed by public authorities in certain specific situations.
(iii) Monitoring employees
The Draft Law states that processing data through IT or video surveillance systems in case of labour relations is allowed only under the following cumulative conditions:
- Legitimate interest: the legitimate interests of the employer refer to highly-important activities that prevail over the employees’ interests, rights and freedoms;
- Prior information: the employer had fully and expressly informed its employees about the using of monitoring systems prior to commencement of data processing;
- Role of trade unions: the employer consulted the trade union(s) or the employees’ representatives about the introducing of monitoring systems prior to commencement of data processing;
- Risk assessment: less intrusive means had been used and they had proven not to be efficient; and
- Retention period: if there are no other cases expressly provided by law or other duly justified cases, personal data of the employees shall be retained only for a period proportionate with the processing purpose and no more than 30 days.
(iv) National body for accrediting the certification bodies
The Draft Law mentions the Romanian Accreditation Association as national body for accrediting the certification bodies, in accordance with article 43 of the GDPR. Secondary legislation in this respect is expected to be issued by the Romanian DPA.
(v) Transitory provisions concerning sanctions
Administrative offences committed prior to 25 May 2018 shall be sanctioned as follows, based on the favorable law principle:
- If the sanction under the previous legislation is lighter than under the GDPR, the former shall apply; and
- If the action committed constitutes an administrative offence under the previous legislation, but not under the GDPR, the action shall not be considered an administrative offence.