Romania – updates on GDPR legislation
On 14 March 2018, the Romanian Senate published the legislative proposal regarding the measures aimed at implementing Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”).
First, the legislative proposal explains the concept of authorities and other public bodies, as well as the one of the national identification number, providing a list of examples of categories of public bodies and types of numbers by which an individual is identified in certain record systems.
The proposal addresses special rules to be met by the data controllers when processing certain categories of personal data. The main terms included in the legislative proposal concern:
- the processing of national identification number (e.g. personal identification number, series and number of ID card, passport number, driver’s license number, social security code) can be done based on the legitimate interest ground of processing when additional guarantees are established by the data controller. Such guarantees are:
- ensuring data minimization, security and confidentiality of processing by implementing appropriate technical and organizational measures;
- appointing a Data Protection Officer (DPO);
- adherence to an approved code of conduct intended to contribute to proper application of GDPR;
- setting data retention periods, as well as specific data erasure deadlines;
- regular training, regarding data protection obligations, of persons who process personal data under the direct authority of the data controller.
- the processing of genetic or biometric data, as well as of data concerning health issues with the intent of establishing an automated decision-making process for profiling is prohibited, except processing done under the control of public authorities pursuant to the terms set out by special laws on these matters.
- the processing of personal data in the context of work relations – monitoring using electronic means of communication and/or video monitoring at work for carrying out the employer’s legitimate interests is permitted only under certain conditions, as follows:
- compliance with the principles of legitimacy and subsidiarity – the legitimate interests of the employer prevail over the interests or rights and freedoms of the data subjects;
- prior, complete and explicit information of the employee;
- prior consultation of the trade union or employee representatives regarding the implementation of the monitoring systems;
- trying other forms and less intrusive ways to achieve the processing purpose pursued by the employer who have not previously worked out their effectiveness;
- proportionality of the data retention period – no more than 30 days regarding data processed via monitoring systems, except as required by law or where justified.
In addition, the proposal sets violations that would trigger administrative financial sanctions under the GDPR. The main sanctions are constituted by written reprimand and fine; the violation of the GDPR provisions by the public authorities and public bodies can be sanctioned by written reprimand or by a fine not exceeding approx. EUR 40.000.
Finally, the legislative proposal provides that the complaints and proceedings submitted and registered with the DPA – beginning May 25, 2018; GDPR provisions will apply including for complaints/proceedings submitted prior to this date, but which are pending on May 25, 2018. If GDPR provides for an increased penalty, the offence committed prior to May 25, 2018 will be sanctioned according to the legal provisions in place at the time when the offence was committed, and in so far as the act committed prior to May 25, 2018 does not constitute an offence according to GDPR, the act will no longer be sanctioned.