On March 14, 2018 the Romanian law for implementing measures on EU Regulation no. 2016/679 on the protection of individual rights with regard to the processing of personal data directive no. 95/46/GDPR was submitted to the Senate. This is the long awaited draft law regulating the GDPR requirements, especially the open clauses and the sanctions applicable to Romanian public institutions.
The legislative proposal is available in Romanian language and can be reviewed at the following official link.
Among the most important measures proposed, we note the following:
Data controllers may process the national identification number (CNP or the number of the identity card / passport) in those cases provided by art. 6 par. (1) of the GDPR Regulation. The data processing grounded on legitimate interest (art. 6 paragraphs 1, letter f)) becomes possible under the condition that certain guaranties are established in the process, such as: (i) establishing certain technical and organizational measures to ensure confidentiality and security – art. 32 GDPR; (ii) appointing a data protection officer within the undertaking – art. 8 GDPR; (iii) adherence to an approved code of conduct in light of art. 40 GDPR; (iv) establishing specific retention periods for data in consideration of the processing purpose; and (v) also periodically training of the responsible personnel.
The draft law also provides that the processing of genetic, biometric or health data for purposes of an automatic decision-making process is prohibited, except for processing carried out by or on behalf of public authorities. The prohibition cannot be avoided through the consent of the data subject.
Regarding the public sector the maximum fines for public authorities (national or local) are proposed to be limited to 100.000 RON for non-compliance with the certification procedures and 200.000 RON for breaching the principles of processing, including the requirement for consent or data transfer.
The draft law also provides for transitional measures for the settlement of complaints registered before May 25. Thus, the new provisions shall also apply to notifications registered prior to 25 May and which are still pending. In case the Regulation and the law establishes a more stringent sanction, any violation under the Regulation and the law committed before May 25 can be sanctioned in accordance with the provisions of the normative deeds in force at the date of their commencement.