Two months after the General Data Protection Regulation (GDPR)[1] came into force, the Romanian legislative body adopted an additional law (“Law 190”)[2]. It came into force on 31. July 2018.

General Aspects

Law 190 has introduced some changes to the initial draft. To what extent they will create a practice oriented legal framework is still questionable. The first part of the practice-relevant aspects described below.

Processing certain categories of personal data

a. Biometric, genetic and health data

Processing this kind of data for automated decision-making processes or profiling requires the consent of the data subject, unless the processing takes place as a result of an expressly stated legal provision. Appropriate measures for ensuring the rights, liberties and legitimate interests of the data subject are needed.

b. Personal Identification Number (eg. CNP)

To process a national identification number on the basis of the legitimate interest[3] of the processor or a third party, the legislative body asks for the following guarantees:

  • Appropriate technical and organizational measures, such as data minimization (restricting processing to the extent needed) and ensuring the confidentiality of the data,
  • Appointing a Data Protection Officer (“DPO“),
  • Establishing how long personal data must be stored, according to the type of data and the purpose of processing,
  • Regular training of the personnel that processes the personal data in the name of the controller or the processor.

If processing the personal identification number out of legitimate interest, a DPO must be appointed. Since processing the personal identification number is rather common in Romania, this measure could lead to the limitation of unjustified requests for the personal identification number in practice. Although this should already be guaranteed directly by the GDPR, this expressly stated regulation regarding the Romanian practice is more than welcome.   

Data Processing in the employment context

If the employer has monitoring systems by means of electronic communication or video surveillance in place, out of legitimate interest, he must:

  • Base his legitimate interest on legitimate reasons and act in favor of the interests, rights and liberties of the data subject,  
  • Inform the employee in advance, thoroughly and clearly, 
  • Consult with the trade union or the employees’ representatives in advance, 
  • Make sure no other milder measures have proved to be efficient for the employer’s purpose,
  • Make sure the storage duration for the purpose of processing is proportionate; except for cases expressly provided by the law or well justified cases, it will be of maximum 30 days.

The documentation in the register of processing activities plays a decisive role. Just as important is the (written) evidence that the employee has received and understood the notification before the data was processed.  

However, what will still be problematic for the employer is that he must have proved that all milder measures were inefficient (not just less efficient) before implementing monitoring systems by electronic communication or video surveillance. 


To ensure the proportionality and balance between data protection and the processing of personal data (including special categories) by political parties and civil organizations of national minorities, non-governmental organizations etc, the following rights must be considered: 

  • The data subject’s right to information regarding the processing of the data,
  • Transparent information, communication and methods for exercising the data subject’s rights,  
  • Right of rectification and deletion.

These organizations are allowed to process the personal data for the purpose of their activity, without the express consent of the data subject, if the previous guarantees/rights are ensured.   

In our opinion, exempting these organizations from the rules of the GDPR and thus from the protection it stipulates for data subjects, infringes  the GDPR.    


The law tries, on the one hand, to comply with the obligations of the GDPR. On the other hand, it crosses its limits, which will definitely have consequences. We are expecting further changes.