Articles

One year of GDPR in Romania

Authors: Roxana Ionescu and Alexandra Dunareanu

Legislative actions

After May 25, 2018, the Romanian Parliament passed 3 laws:

• one for reflecting the new sanctioning and enforcement regime in the law on the organization of the National Authority for the Supervision of Personal Data Processing – Law No. 102/2005 as amended via Law No. 129/2018;
• one implementing so-called “open clauses” under GDPR in Romania – Law No. 190/2018 on the measures aimed at implementing the GDPR;
• one transposing the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA – Law No. 363/2018.

Law No. 190/2018 includes the following key provisions:

• it defines specific rules when controllers wish to process national identification numbers (e.g., personal identification number, ID card series and number, passport number, driver’s license number, social security code) based on legitimate interest, including the need to appoint a Data Protection Officer (DPO).
• processing of genetic, biometric data, as well as of data concerning health issues with the aim of establishing an automated decision-making process for profiling is allowed, where the explicit consent of the data subject has been obtained or if the processing is performed under express legal provisions with the implementation of appropriate safeguards;
• employee monitoring using electronic means of communication and/or video monitoring at work for carrying out the employer’s legitimate interests is permitted only under certain conditions, including: prior consultation of the trade union or employee representatives regarding the implementation of the monitoring systems; proportionality of the data retention period – no more than 30 days for data processed via monitoring systems, except as required by law or in duly justified cases.

In addition to the above, the Romanian DPA has issued decisions on the list of operations for which data protection impact assessments are required and on investigation procedure to be applied by the DPA.

DPA figures – enforcement and others

According to the latest information provided by the Romanian DPA on May 17, 2019, the following DPA activity numbers are available:

• 9335 notified DPOs
• 391 data breach notifications received until May 17, 2019
• 460 investigations performed ex-officio by the Romanian DPA until May 17, 2019 (including 391 as a result of receiving data breach notifications)
• 456 investigations performed further to receiving data subjects’ complaints until May 17, 2019.

To date, the Romanian DPA has not applied any pecuniary sanctions, but only corrective measures and recommendations.

For more information about data protection and GDPR application in Romania, please contact Roxana Ionescu, Partner and head of our Data Protection practice, Roxana.Ionescu@nndkp.ro.