GDPR adopted by the Senate Chamber of the Romanian Parliament
The Senate Chamber of the Romanian Parliament has adopted the legislative proposal on the measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation – “GDPR”).
Currently, the draft has been submitted to the General Secretary for exercising the right to refer to the constitutionality of the law. The report of the refereed committee of the amendments admitted to the original version can be accessed here: https://www.senat.ro/legis/lista.aspx?nr_cls=L294&an_cls=2018.
In the final version of the legislative proposal, the conditions for adhering to a code of conduct in the context of the processing of the national identification number (in Romanian – CNP) based on the legitimate interest of the data controller have been removed, aspects that were reflected in the original version of the document. However, compared to the initial form of the document the following aspects remain unchanged:
- Processing of certain categories of personal data
processing of the national identification number (e.g., personal identification number, ID card series and number, passport number, driver’s license number, social security code) may be performed on the basis of the processing grounds provided under art. 6 par. (1) GDPR (consent, performance of a contract, protection of the vital interests of the data subject, public interest, legitimate interest); Where the ground of processing is the legitimate interest, the processing shall be performed with additional guarantees provided by the data controller.
processing of genetic, biometric data, as well as of data concerning health issues with the aim of establishing an automated decision-making process for profiling is allowed, where the explicit consent of the data subject has been obtained or if the processing is performed under express legal provisions with the implementation of appropriate safeguards;
processing of employee personal data in the context of employment – monitoring using electronic means of communication and/or video monitoring at work for carrying out the employer’s legitimate interests is permitted only under certain conditions – including the compliance with the legitimacy and proportionality principles, as well as with prior, complete and explicit information about the processing provided to the employee.
- Derogations from the GDPR provisions (e.g., public terms of principles, rights of the data subject, controller – processor relationship, data transfer) for processing of personal data for journalistic, artistic, literary, scientific or historical research, statistical and archiving in the public interest purposes
- The main penalties are: the warning and the administrative fine; The infringements of the GDPR provisions by the public authorities and bodies can be sanctioned with a warning or fine of up to RON 200,000
- Complains and allegations submitted and registered with the National Supervisory Authority– starting with May 25, 2018, GDPR provisions will also apply to complaints / allegations filed before that date yet are pending on 25 May 2018. If GDPR provides for a more serious penalty, the infringement committed before May 25, 2018 will be sanctioned in accordance with the legal provisions in force at the date of the infringement, and to the extent that an act committed previously May 25, 2018 no longer constitutes a infringement under GDPR, will no longer be sanctioned.