The Data Protection Authority’s powers are now aligned with GDPR
Law No. 129/ 2018 for amending and supplementing the Law No.102/2005 regarding the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing, and for repealing the Law No 677/ 2001 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was published on 19 June 2018 in the Official Gazette of Romania No. 503/ 19 June 2018.
Law No. 129/2018 modifies and supplements the existing legal provisions regarding the organization and functioning of the Romanian data protection authority (DPA), the authority’s powers and attributions and the duties of its representatives, the exercise of the investigatory powers, the management of complaints and the exercise of legal remedies, especially regarding the following aspects:
- The DPA’s representatives with investigatory powers have the right to conduct investigations, including unannounced ones and to request from the data controller/ processor, on the spot or at a further established term, any information/ documents, regardless of the storage media, to pick up copies of them, to have access to any of the data controller/ processor premises, to verify any equipment, mean or storage media, necessary to conduct the investigation. In the event that such authority representatives are prevented from performing their attributions, they have the right to request and obtain a judicial authorisation, in 48 hours;
- The investigation cannot begin before 08:00 AM and cannot continue after 6:00 PM as a rule. By an exception, the investigation can be prolonged after 6:00 PM, but only with the written consent of the entity subject to the investigation or of its representatives.
- The reprimand and the administrative fine may be applied, as a rule, within 3 years from the date when the fact was committed. Such term will be interrupted by the performance of any procedural act, without exceeding a maximum term of 4 years. In cases of time-related breaches or of committing acts based on the same resolution, at different time intervals, of several actions or inactions that each show the content of the same offense, such term will start from (i) the data of the finding or (ii) from the date of cessation of the last act or fact committed, if this occurs prior to the finding;
- In case when the amount of the administrative fine applied exceeds the RON equivalent of EUR 300,000, the administrative fine will be applied only through a DPA president decision. Certain corrective measures (e.g. the limitation/ ban of processing, data deletion) can also be applied only through such a decision and not through the minutes prepared by the authority representatives with investigatory powers;
- The challenge of the sanctions/ corrective measures applied can be performed within 15 days from the date when the minutes/ decision was communicated or handed over, to the competent court of law. The challenge will only suspend the payment obligation, until a final court judgement has been pronounced;
- The data subject who deems that the processing of personal data belonging to him/ her breaches the legal provisions in force has the right to file a complaint with the authority, including by electronic means;
- If, following the exercise of its powers, the authority will consider that any of the rights guaranteed to a data subject have been infringed, the authority may refer the matter to the competent court. In this case, the data subject will acquire the status of plaintiff and will have to assume the case, otherwise the action of the authority will be cancelled;
- The GDPR provisions are applicable also to the complaints submitted/ investigations started prior to 25 May 2018 and currently pending on this date, but if the sanctions regulated by GDPR for the offences identified are higher than those regulated by the applicable provisions in force at the time when the offence have been committed, those later provisions will apply.
Law No. 129/ 2018 repeals, as of 25 May 2018, Law No 677/ 2001 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.