Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The main legislative framework consists of the following:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation (GDPR)), directly applicable into the Romanian legislation.
  • Law 190/2018 on implementing measures for the GDPR.
  • Law No. 102/2005 on the establishment, organisation and functioning of the National Supervisory Authority for Personal Data Processing (DPA).

 

Guides and recommendations of the European Data Protection Board, as well as guides issued by the DPA must be considered.

Alongside the legislation mentioned above, there are a series of normative acts that are relevant from a data protection perspective, including acts that regulate specific areas of data protection, such as cookies and marketing communication.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Romanian data protection authority is the DPA.

The DPA is organised as an independent institution. Its powers are based both on the GDPR and on Law No. 102/2005 on the establishment, organisation and functioning of the National Supervisory Authority for Personal Data Processing.

The DPA may conduct investigations, including unannounced ones. During investigations, the DPA may request any documents and information and can access any equipment (including personal data storage equipment) it deems necessary for the purposes of the inspection. The DPA may gather witness statements and commission experts’ reports.

Once a breach of legislation has been ascertained, the DPA may impose reprimands or fines, alongside corrective measures. Periodic fines can be imposed in specific cases.

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

Whenever the activity of the controller or processor of personal data has a cross-border nature, a conflict of competence may arise. The mechanism of solving the conflict of competence is enshrined in GDPR. As a rule, the supervisory authority of the main or single establishment of the controller or processor is competent to act as lead supervisory authority for investigating the cross-border processing carried out by that controller or processor and must cooperate with the other supervisory authorities concerned.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Under Romanian law, the breaches of data protection law are sanctioned by way of:

  • reprimands;
  • fines; and
  • corrective measures in line with GDPR, in addition the DPA may request the controller and processor to publish at its own cost any of the corrective measures imposed.

 

An infringement is determined by the control personnel of the DPA and the sanction is applied via a report signed by the same. Where the fine exceeds €300,000, it can be imposed only through a Decision of the President of the DPA, based on the report made by the DPA’s control personnel.

The fines are set in the GDPR. These are up to €10 million or up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements regarding, for example, obligations entailed by the privacy-by-design and privacy-by-default principle, security of the processing; and up to €20 million or up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements related to, for example, the basic principles for processing, including conditions for consent, the data subjects’ rights.

If there is non-compliance with the imposed measures, or tacit or express refusal to provide all the information and documents requested by the DPA, or if the controller or processor refuses to be subject of an investigation, the DPA may apply a periodic fine of 3,000 Romanian leu per day.

In accordance with the GDPR, Romania decided that a punitive regime should be applicable to public authorities in accordance with the provision of Law No. 190/2018. Therefore, if a public authority infringes GDPR or the national data protection laws, the DPA issues, in a first phase, a warning accompanied by a remediation plan. The DPA can resume the investigation and if it finds that the measures from the remediation plan were not implemented, a fine ranging from 10,000 to 200,000 Romanian leu might be applied.

Romania decided not to impose criminal penalties for infringements.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The general data protection legal regime enshrined in the General Data Protection Regulation (GDPR) expressly excludes from its scope of application:

  • processing of personal data performed during activities outside the scope of European Union Law;
  • processing of personal data performed by member states with respect to common foreign and security policy;
  • processing of personal data performed by a natural person in the course of a purely personal or household activity;
  • processing of personal data performed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; and
  • processing of personal data of deceased persons.

 

The legal regime of personal data processing is also regulated by other specific pieces of legislation, that cover the processing of personal data in electronic communications, and the processing of personal data while preventing, detecting, investigating, prosecuting and fighting crimes or executing penalties, and education and security measures.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Interception of communications, electronic marketing and monitoring and surveillance of individuals are specifically addressed by the Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector specifically addresses this subject (that transposes into Romanian legislation Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (E-Privacy Directive)). Interception of communications and monitoring and surveillance of individuals is further regulated by the Criminal Procedure Code.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Currently, Romania has not developed sector-specific data protection legislation. However, some specific rules (as enabled by the GDPR) are included in the national legislation, regarding the processing of:

  • genetic, biometric and health data;
  • the national identification number;
  • data in employment contexts; and
  • data in the context of performing a task that serves a public interest.

 

These rules do not diverge from the principles and rules of the GDPR.

PII formats

What forms of PII are covered by the law?

The GDPR (and thus applicable national legislation) applies to the processing of personal data wholly or partly by automated means and to the processing, other than by automated means, of personal data which forms part of a filing system or is intended to form part of a filing system, where a ‘filing system’ means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or a geographical basis.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The GDPR also applies to controllers and processors not established in the European Union when processing activities relate to offering of goods or services to data subjects in Romania, irrespective of whether a payment from the data subject is required; and monitoring of data subjects’ behaviour that takes place in Romania.

Also, the GDPR applies to the processing of personal data by a controller not established in the European Union, but in a place where Romanian law applies by virtue of public international law.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Personally identifiable information is not a concept recognised in European law. Therefore, the term to be used is ‘personal data’. The GDPR applies where the processing of personal data is done wholly or partly by automated means and where the processing other than by automated means of personal data forms part of a filing system or is intended to form part of a filing system. Processing of personal data covers all the operations, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.

All processing activities that are in scope of the GDPR need to observe the rules set in the same.

The majority of obligations and duties sit with the person who determines the purposes and the means of the processing (the controller), as the controller is accountable for the processing activities of the personal data. There are specific obligations and duties that sit also with the person designated by the controller to process data on its behalf (the processor).

Law stated date

Correct on

Give the date on which the information above is accurate.

1 May 2020.