September 2023

1. Governing Texts

The legal rules in Romania are mainly set in the Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('the Law') which in principle reiterates the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') rules and in specific decisions issued by the National Supervisory Authority for Personal Data Processing ('ANSPDCP'), regulates main areas of the GDPR such as when Data Privacy Impact Assessments ('DPIA') will be mandatory, the accreditation of certification bodies, the conducting of investigations and managing complaints, and notifying security breaches.

The ANSPDCP's guidelines are quite scarce and generic, only reiterating the main GDPR principles and standards.

1.1. Key acts, regulations, directives, bills

The general legal framework for data protection has changed substantially since the GDPR took effect in May 2018.

Despite the GDPR's direct applicability in all EU Member States, the regulation recognizes Member States' rights to adopt derogations or additional safeguards in specific cases or with respect to certain types of processing.

In order to regulate such derogations, the Parliament of Romania adopted the Law, published in the Official Gazette No. 651 of 26 July 2018. The Law provides special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers ('DPO') and certification bodies, as well as provisions on the applicable sanctions for public and private entities.

In addition, the functions, powers, and duties of the ANSPDCP have been modified by means of a separate act, Law No. 129 of 15 June 2018 amending and integrating Law No. 102/2005 on the Establishment, Organization, and Functioning of the National Supervisory Authority for the Processing of Personal Data, as well as repealing Law No. 677/2001 on the Protection of Persons with Regard to the Processing of Personal Data and the Free Movement of such Data ('the ANSPDCP Law').

In January 2019, Law No. 363/2018 of 28 December 2018 on Provisions Regarding the Processing of Personal Data by Competent Authorities for the Prevention, Detection, Investigation, Prosecution, and Control of Criminal Offences or the Execution of Sanctions, Education, and Measures (only available in Romanian here) ('Law No. 363/2018') came into force.

In 2019, the Law was subject to a 'corrigendum'. Specifically, processing for statistical purposes had been included amongst the cases benefiting of the exemption regulated by Article 89(2) of the GDPR.

Furthermore, several decisions were issued by ANSPDCP:

• Decision No. 174/2018 on the list of kinds of processing operations which are subject to the requirement for a DPIA;
• Decision No. 20/2021 on the approval of the additional requirements for the accreditation of certification bodies pursuant to Article 43 of the Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Regulation (EU) 2016/679);
• Decision No. 238/2019 on the amendment of Annex no. 2 to the procedure for conducting investigations, approved by the Decision of the President of the National Authority for the Supervision of Personal Data Processing No. 161/2018 (only available in Romanian here);
• Decision No. 161/2018 on the approval of the procedure for conducting investigations;
• Decision no. 133/2018 on the approval of the procedure for receiving and resolving complaints (only available in Romanian here);
• Decision No. 128/2018 on the approval of the standard form for the notification of personal data breach in accordance with GDPR (only available in Romanian here);
• Decision No. 99/2018 regarding the cessation of the applicability of some normative acts with administrative character issued in the application of Law No. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data; and
• Decision No. 184/2014 on the approval of the standard form of notification of personal data breach for providers of public network services or electronic communications services, in accordance with the European Commission Regulation on measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on confidentiality and electronic communications (Regulation (EU) No. 611/2013).

1.2. Guidelines

The ANSPDCP has released a GDPR resource center (only available in Romanian here) which includes general guidance for the application of GDPR (only available in Romanian here).

Furthermore, the ANSPDCP issued on May 2019 guidance on frequently asked questions on the implementation of GDPR and the applicability of Law No. 190/2018 (only available in Romanian here).

1.3. Case law

The entry into force of the GDPR marked a significant increase in data privacy litigation cases.

The majority of such litigation (made publicly available) has been filed against credit institutions by paying customers complaining about reports to the Credit Bureau with negative credit scoring. Essentially, the claimants were asking for their data to be removed from the Credit Bureau database (before the expiry of the retention period applicable to the Credit Bureau system). The claimants argued that the 'right to be forgotten' applies to them with respect to such processing. The courts generally dismiss such claims as ungrounded upholding that the right to be forgotten does not apply in such cases, since there is a prevailing legitimate interest of the participants of the Credit Bureau system to have access to payment behavior information of the customers of the credit institutions.

One may also note a few court decisions whereby data subjects were awarded indemnification for the incurred prejudice following the illegal data processing, namely:

• VODAFONE ROMÂNIA S.A. was ordered to pay an indemnification of RON 2,000 (approx. $434) with respect to violations of Article 5(1)(a) and (f) of GDPR for failing to process data lawfully, fairly, and in a transparent manner in relation to the data subject and in a manner that ensures appropriate security of the personal data when concluding an additional subscription contract with a third person using the claimant data, without implementing an identification process.
• Banca Transilvania S.A. was ordered to pay an indemnification of RON 10,000 (approx. $2,170) for moral damages and material damages of RON 1,200 (approx. $260) for illegal processing of personal data starting on April 14, 2009. The controller had not informed the data subject in a transparent manner when transferring his data from the filing system of Biroul de Credit S.A. in the filing system of FICO. Starting on  April 14, 2009, all data included in Biroul de Credit S,A, filing system was being processed in FICO Score, an automated decision-making system, potentially leading to negative effects on the data subject.
• Iași Municipality was ordered to pay an indemnification of RON 15,000 (approx. $3,255). In the case at hand, Iași Municipality published on its website listed individuals with debts towards the public budget which included the identification data of the claimant even after the claimant settled their debts. Thus, the court upheld that Iași Municipality had no legal basis of processing the claimant's personal data. The publication of such data on its website even after the settlement of the debt affected the claimants' public image, thus entitling the claimant to be awarded an indemnification of the incurred moral damage.
• National Company 'Bucharest Airports' S.A. was ordered to pay an indemnification of RON 10,000 (approx. $2,170) to a member of its Board of Directors, following the publication on the company's website of the data subject's contact details (i.e. full domicile address) and ID data (personal numeric number, series, and the ID number, date of issuance, and issuing authority). Such data was included in a decision of the general meeting of shareholders approving the appointment of the data subject as a member of the Board of Directors (processing which does not trigger any legal issues). Still, the decision was further published on the website of the company without masking the personal data not necessary to ensure the transparency of the corporate decision-making under the applicable corporate rules. The court upheld, in this case, the breach of the data minimization principle i.e. explaining that publishing only the name and surname of the individuals would have been sufficient and that the processing lacked of legal basis.

2. Scope of Application

2.1. Personal scope

The Law applies to public and private entities processing personal data.

Law 363/2018 applies to competent authorities regarding the activities of prevention, detection, investigation, prosecution, and combating of crimes, execution of punishments, educational and security measures, as well as the maintenance and assurance of public order and safety.

2.2. Territorial scope

The Law and Law 363/2018 are applicable to processing operations undertaken in the territory of Romania or by controllers/processors headquartered in Romania.

2.3. Material scope

The Law sets derogatory rules for the processing of particular types of data or specific data purposes/operations, as follows:

• biometric and health data processing in view of undertaking an automated decision or for generating profiles, shall take place exclusively on the basis of express consent or express legal obligation with implementation of adequate data privacy measures;
• the national identification number may be processed based on the legitimate interest with the condition that controllers meet certain requirements in this regard, such as:
  • implementing technical and organizational measures in order ensure security and confidentiality of data;
  • appointing a DPO in line with GDPR;
  • implementing retention periods subject to the nature of the data and the scope of processing; and
  • period training, education, and awareness programs for persons with access to the data;
• collecting employees' data via monitoring activities undertaken via electronic communication means/CCTV based on the legitimate interest of the employer, may take place only provided that:
  • proper justification of legitimate interest is considered;
  • the employee is informed with respect to the monitoring;
  • a prior consultation with the union or the employees' representatives occurs before the monitoring implementation;
  • less intrusive means to reach the goal pursued are considered and do not apply; and
  • a term of retention proportionate to the purpose of processing is implemented, which shall not exceed 30 days, unless expressly provided by law or well-founded exceptional cases (e.g., pending litigation).

Law 363/2018 on the specific provisions regarding the processing of personal data by competent authorities for the prevention, detection, investigation, prosecution, and control of criminal offences or the execution of sanctions, education, and measures applies to all data relating to an identified or identifiable natural person. This includes special categories of data (i.e. biometric data, health data, sex, etc. provided for in Article 9 of the GDPR), but also criminal records, as stipulated in Article 10 of the GDPR. Notably, sensitive data can be processed only if strictly necessary on a case-by-case basis and if one of the conditions below are met:

• the processing is expressly provided by law;
• the processing is necessary for the prevention of an imminent danger as to the life, health of physical integrity of a person; or
• the processing entails data manifestly made public by the data subject.

Law 363/2018 expressly prohibits automated decision-making and profiling with respect to sensitive data. Nevertheless, automated decision-making with respect to personal data can be undertaken if such action is expressly provided by law.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The regulator entrusted with overall competence in the data privacy field, including investigation powers, is the ANSPDCP.

3.2. Main powers, duties and responsibilities

As per the ANSPDCP Law, the ANSPDCP's main powers, duties, and responsibilities are those established by the GDPR. However, the exercise of certain powers and tasks have been further clarified within this legislation, such as:

• the power to carry out investigations; and
• the handling of complaints by the data subject.

Furthermore, additional powers have been granted to the ANSPDCP:

• to carry out unannounced onsite investigations, at the headquarters of the ANSPDCP or via written correspondence with the ANSPDCP;
• to request and obtain from the controller or processor, onsite and/or within a set time limit, any information and documents, regardless of the storage media;
• to make copies of the requested information or documents;
• to have access to any of the premises of the controller or processor;
• to have access to and verify any equipment or data storage media required for the ongoing investigation; and
• to commission audits and hearings of persons whose statements are considered relevant and necessary for the investigation.

4. Key Definitions

Data controller: No national variations. The GDPR definition applies.

According to Law 363/2018, the data controller is the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law, the controller or the specific criteria for its nomination may be provided for by law.

Data processor: No national variations. The GDPR definition applies.

Personal data: No national variations. The GDPR definition applies.

Sensitive data: No national variations. The GDPR definition applies.

Health data: No national variations. The GDPR definition applies.

Biometric data: No national variations. The GDPR definition applies.

Pseudonymization: No national variations. The GDPR definition applies.

Data subject: No definition under local laws. As per the European Data Protection Supervisor ('EDPS') glossary, a person whose personal data are collected, held or processed.

Article 2 of the Law provides additional definitions, such as:

Public authorities and bodies: Chamber of Deputies and Senate, Presidential Administration, Government, Ministries, other specialized bodies of central public administration, autonomous public authorities, and institutions, local and county-level public administration authorities, other public authorities, and institutions under their subordination/coordination. For the purposes of this Law, public authorities/bodies, cult units, associations, and foundations of public utility shall be treated as such.

National identification number: The number by which a natural person is identified in certain filing systems and which has general applicability, such as personal number, serial number, ID number, passport number, driving license, and social health insurance number.

Remediation plan: Annex to the reports of finding and sanctioning the infringement, drawn up under the conditions laid down with respect to accreditation of certification organs, whereby the ANSPDCP entails measures and a deadline for remediation.

Remediation measure: A solution ordered by the ANSPDCP in the remediation plan for the public authority to comply with the legal obligations.

Remediation period: The period of time not exceeding 90 days from the date of communication of the reports of finding and sanctioning the infringement, during which the public authority has the possibility of solving any irregularities found and complying with the legal obligations. 

Carrying out a task in the public interest: Activities of political parties or minority organizations, non-governmental organizations, entailing the objectives set out in constitutional or public international law or the functioning of the democratic system, including encouraging citizens' participation in decision-making and public policy preparation (i.e., promoting the principles and values of democracy).

5. Legal Bases

5.1. Consent

The Law provides for express consent as legal basis for processing of biometric data and health data. Consent is also provided as a valid legal basis for processing national identification numbers.

5.2. Contract with the data subject

No national variations. The GDPR definition applies.

5.3. Legal obligations

The Law stipulates that biometric data and health data can be processed on the basis of express legal obligation. This legal basis is also applicable to processing of national identification numbers.

Law 363/2018 states that sensitive data can be processed only if strictly necessary on a case-by-case basis if such processing is expressly provided by law.

Law 363/2018 expressly prohibits automated decision-making and profiling with respect to sensitive data. Nevertheless, automated decision-making with respect to personal data is allowed if such action is expressly provided by law.

5.4. Interests of the data subject

No national variations. The GDPR definition applies.

5.5. Public interest

The Law provides the possibility to process special categories of data in the context of performance of a task carried out in the public interest. Such processing requires special guarantees (i.e., implementing technical and organizational measures in order to ensure the security and confidentiality of data in line with Article 5 of the GDPR, appointing a DPO, and implementing retention periods subject to the nature of the data and the scope of processing).

5.6. Legitimate interests of the data controller

No national variations. The GDPR definition applies.

5.7. Legal bases in other instances

National implementation of Article 89 of the GDPR

As per Article 8(1) of the Law, the processing of personal data for scientific or historical research, or statistical purposes may be carried out without the observance of the provisions of Articles 15, 16, 18, and 21 of the GDPR, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfillment of those purposes. As per Article 8(2) of the Law, the processing of personal data for archiving purposes in the public interest may be carried out without the observance of the provisions of Articles 15, 16, 18, 19, 20, and 21 of the GDPR, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfillment of those purposes.

Nonetheless, these specific derogations from Article 8 of the Law are subject to the conditions and safeguards referred to in Article 89(1) of the GDPR.

Furthermore, where the processing referred to in Article 8(1)(2) of the Law serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in the aforementioned provision.

National implementation of Article 87 of GDPR

The processing of the national identification number for the purposes of the legitimate interests pursued by the controller or by a third party can only be carried out if the controller has implemented the following safeguards:

• technical and organizational measures to ensure that such processing is carried out in accordance with the data minimization principle, as well as ensuring the security of the processing in accordance with Article 32 of the GDPR;
• has appointed a DPO;
• has set up storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion; and
• regular training of the personnel with duties related to the processing of such personal data by both the controller and processor has been ensured.

National implementation of Article 88 of the GDPR

The processing of employees' personal data for the purposes of the legitimate interests pursued by the employer, using surveillance of electronic communications and video monitoring systems at the workplace, may only be carried out if:

• such processing is justified and does not override the rights and freedoms of employees;
• employees have been clearly and fully informed of such processing;
• the employer has sought the opinion of the collective bodies or employee representatives prior to such processing;
• less intrusive means have been implemented but have not achieved the purposes pursued by the employer; and
• the storage period is proportionate to the purpose of processing, and in any event not longer than 30 days, except if the law provides otherwise or in duly justified cases.

6. Principles

The principles of data protection are as follows:

• Lawfulness, fairness, and transparency:
  • for processing of personal data to be lawful, you need to identify specific grounds for the processing. This is referred to as a 'lawful basis' for processing, and there are six options which depend on your purpose and your relationship with the individual;
  • you are not allowed to use the personal data in an unlawful way in a more general sense, including statute and common law obligations, whether criminal or civil;
  • fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them;
  • transparency means you must be clear about why personal data is being collected and how it is going to be used. If a data subject requests further information regarding the processing of their data, then organizations are bound to provide this in a timely manner. The collection, processing, and disclosure of data must all be done in accordance with the law, based on an adequate data processing ground;
• Purpose limitation: controllers must have a specific and legitimate reason for collecting and processing personal data. The data can only be used for the designated purpose and must not be processed for any other use unless the data subject has provided their explicit consent. There is a bit more flexibility with processing conducted for archiving purposes in the public interest or for scientific, historical, or statistical purposes;
• Data minimisation: data must be 'adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed'. This means that organisations should only store the minimum amount of data required for their purpose (i.e. necessary, relevant, and adequate to the processing). Controllers cannot just collect personal data on the off chance that it might be useful in the future. If they are holding more data than is necessary, this is likely to be unlawful;
• Accuracy: data must be accurate, fit for purpose, and up to date. This means that organizations should regularly review information held about individuals and delete or amend inaccurate information accordingly. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within one month. This streamlining of information will help improve compliance and ensure business databases are accurate and up to date;
• Storage limitation: if data is no longer needed for the purpose for which it was collected, it should be deleted or destroyed unless there are other grounds for retaining it;
• Integrity and Confidentiality: appropriate measures in line with the state of the art should be in place to secure the personal data you hold. This could be protection from internal threats such as unauthorized use, accidental loss, or damage, as well as external threats such as phishing, malware, or theft; and
• Accountability: controllers must take responsibility for the data they hold and demonstrate compliance with the other principles. This means that they must be able to evidence the steps they have taken to demonstrate compliance.

Nevertheless, the Law provides for derogations from the principles entailed in the GDPR. Hence, according to Article 7 of the Law, in order to ensure the freedom of expression and the right for information, processing of data may be carried out for journalistic purposes or for the purpose of academic, artistic, or literary expression, being exempted from data privacy principles, if such data:

• have been manifestly made public by the data subject;
• are closely linked to the data subject's status as a public person; or
• are closely linked to the public nature of the facts the data subject is part of.

7. Controller and Processor Obligations

7.1. Data processing notification

No specific national requirements have been adopted in relation to notification and registration.

7.2. Data transfers

There are no general restrictions on the transfer/localization of personal data.

However, special laws may provide for limitations on transfers/localization depending on the type of personal data/operations/owner of data. For instance, we mention the following:

• airline transport passengers' data from the official evidence system held by passenger information units may be stored only on EU servers;
• personal data handled by pensions companies and privately managed pension funds active in Romania need to be kept only on the hardware/storing capacities located at their headquarters;
• data related to online remote gambling needs to be mirrored on a safe server located in Romania; moreover, the communications network/equipment and the central point where the core IT systems must be located in Romania or on the territory of another EU Member State/EEA or in the Swiss Confederation;
• the data warehouse related to the movement of tobacco products from their entry date in EU, including all intermediate movements, needs to be located on EU territory; and
• where hosting refers to classified information, the rules established in line with the National Standards for Protection of Classified Information in Romania should be considered, such may require location of data in Romania where the controller/processor is appointed as service provider in relation to such information, and ownership of the main infrastructure by the relevant public institution and accreditation by relevant authority of any service providers or software provided in view of integration in the main infrastructure or use in relation to classified information.

7.3. Data processing records

No national variations. The GDPR definition applies.

7.4. Data protection impact assessment

Pursuant to Decision No. 174/2018 ('the Blacklist'), the ANSPDCP established that the following activities shall result in a high risk to the rights and freedoms of natural persons and, therefore, for them a DPIA is required:

• processing of personal data carried out for a systematic and extensive evaluation of personal aspects relating to natural persons, that is based on automated processing, including profiling, and based on which decisions that produce legal effects concerning the natural person or, similarly, significantly affect the natural person, are taken;
• processing on a large scale of personal data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, as well as biometric data for the purpose of uniquely identifying a natural person, data concerning health, or a natural person's sex life or sexual orientation, and personal data relating to criminal convictions as well as offenses;
• processing carried out for systematic monitoring of a publicly accessible area on a large scale, such as video surveillance in shopping centers, stadiums, markets, parks, and other similar spaces;
• processing on a large scale of personal data pertaining to vulnerable natural persons, especially to minors or employees, via means of automated monitoring and/or systematic recording of their behavior, including carrying out activities involving commercials, marketing, and advertising;
• processing on a large scale of personal data by use of innovative, or by the implementation of, new technology, particularly when such activities limit the ability of data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces;
• processing on a large scale of personal data generated by devices with sensors which send data over the internet or by other means (Internet of Things ('IoT') applications such as Smart TVs, connected vehicles, smart meters, smart toys, smart cities, or other similar applications); and
• processing on a large scale and/or systematic processing of traffic data and/or geolocation data of the data subjects (such as Wi-Fi monitoring, geolocating passengers in public transportation, or other similar cases) when the processing is not necessary for the performance of the services requested by the data subject.

In addition, the Blacklist provides that a DPIA is not mandatory where the processing pursuant to Article 6(1)(c) and (e) of the GDPR has a legal basis in Union law or in the law of the Member State and DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis.

Furthermore, the European Data Protection Board ('EDPB') published the following Opinion for Romania Opinion 19/2018 on the draft list of the competent supervisory authority of Romania regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR).

7.5. Data protection officer appointment

As per the Law, the appointment of a DPO is mandatory whenever processing of a national identification number is carried out. The DPO needs to be notified to the ANSPDCP.

In this regard, the ANSPDCP has launched a portal where controllers and processors can notify the DPO to the ANSPDCP (only available to access in Romanian here).

Furthermore, since 2017, the DPO role has been included in the Romanian Classification of Occupations.

7.6. Data breach notification

No specific national requirements have been adopted under general data protection legislations.

According to ANSPDCP Decision No. 128/2018 (only available in Romanian here) on the approval of the standard form for the notification of a personal data breach in accordance with the GDPR, in case of a breach incident, the controller shall complete an online form, comprising the following data:

• name of the controller and whether it is a private or a public legal person;
• identity and contact data (i.e. name and surname, email address, phone number, and mailing address) of the DPO;
• whether it is a separate notification or an addendum to a previous notification;
• information regarding the incident, such as:
  • date and time of the incident;
  • date and time when the controller became aware of the incident:
  • type of data breach (i.e. confidentiality/integrity/availability);
  • nature and content of the data concerned;
  • technical and organizational measures taken (or to be taken); and
  • relevant use of additional controllers (if applicable); and
• additional information with respect to the data breach:
  • summary of the incident;
  • number of affected data subjects;
  • potential consequences for data subjects; and
  • technical and organizational measures implemented in order to minimize the risk; and
• content of notification of the data subjects (if applicable), method of communication, number of affected data subjects informed;
• whether the breach regards data subjects citizens of other Member States (if so, whether relevant authorities of that Member State were notified); and
• electronic signature of the controller.

The form shall be communicated to ANSPDCP via email at [email protected].

Sectoral

Law No. 362/2018 on ensuring a high common level of security of networks and information systems (only available to access in Romanian here), modified by Emergency Ordinance no. 104/2021 on the establishment of the National Cyber Security Directorate (only available in Romanian here), transposes Directive of the European Parliament and of the Council on measures for a high level of security of networks and information systems in the Union (Directive (EU) 2016/1148) ('Essential Services Law') sets forth a standard of good practices regarding data security policies and prevention of security incidents in the context of information systems, taking the necessary measures to ensure the protection of the essential security interests of the state. The organizations subject to Essential Services Law that have the obligation to implement its requirements are mainly digital service providers (providing services specific to the online market, online search engines, and cloud computing services), and essential service operators, defined in the normative act, such as electricity and natural gas suppliers, airlines, railway, naval or road transport, banking institutions, hospitals and private clinics, organizations providing drinking water, and companies that provide digital infrastructure (IXP, DNS, TLD).

Such law mainly regulates the following aspects:

• minimum security requirements for the networks and information systems of essential services operators and digital services providers;
• specific requirements for notifying security incidents to the National Cyber Security Directorate ('DNSC') The DNSC is designated as a single point of contact at national level in case of cybersecurity incidents (it has a response team for security incidents ('CSIRT')), develops and updates, inter alia, technical rules on minimum requirements for the security of networks and information systems, develops, and updates technical rules on compliance with security incident notification obligations by operators and providers provided by law; and
• audit controls for compliance with the organizational and security requirements provided under Essential Services Law.

Failure to comply with the abovementioned legal obligations may result in administrative fines of at least RON 3,000 lei (approx. $651) and up to 5% of turnover provided in the last financial situation reported by the economic operator (percentage applies to legal entities with a turnover of over RON 2 million (approx. $434,084). The DNSC may take urgent provisional measures including the cessation of activities, which can be maintained for up to 90 days, a term that can be supplemented if needed by 90 additional days.

Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector ('the ePrivacy Law') sets forth a series of requirements that electronic communication services providers must follow in the case of a personal data breach. These requirements are supplemented by the provision of the Commission Regulation of 24 June 2013 on the Measures Applicable to the Notification of Personal Data Breaches under the Directive 2002/58/EC on Privacy and Electronic Communications (Regulation (EU) 611/2013) ('the Regulation'), which sets out additional details on the Directive on Privacy and Electronic Communications' (Directive (EU) 2002/58) (as amended) data breach notification requirements.

Pursuant to the aforementioned legal framework, whenever electronic communication services providers suffer a data breach, they should notify the ANSPDCP of the same, irrespective of the gravity of the breach.

In addition, when such a breach may impact the personal data or private life of a subscriber, the provider of electronic communication services must also notify the concerned data subjects. Such notification would, however, not be necessary if the provider demonstrates to the ANSPDCP that it has applied adequate security measures with respect to the data affected by a security breach. Following the analysis of the respective security breach, the ANSPDCP may order the provider to notify the concerned subscribers.

The above notifications must contain at least:

• a description of the nature of the breach;
• the contact details where additional information on this topic may be obtained; and
• the recommendations as regards the measures for the mitigation of possible negative consequences stemming from such breach.

The minimal content of the data breach notifications is outlined in Annex I of the Regulation.

In addition, providers of electronic communication services must keep evidence of data security breaches that have occurred.

While the GDPR has introduced a general requirement for the controllers to comply with data breach notification requirements, the specific data breach requirements under the ePrivacy Law and the Regulation continue to apply to electronic communication services providers. Failure to comply with the abovementioned legal obligations may result in administrative fines from RON 5,000 to RON 100,000 (approx. $1,085 to $21,704). In cases where companies have a turnover exceeding RON 5 million (approx. $1.08 million), fines can amount to up to 2% of the respective companies' turnovers.

7.7. Data retention

Article 5 of the ePrivacy Law states that controllers are under the obligation to delete or anonymize traffic data pertaining to users and subscribers when such data are no longer necessary for the communication, but no later than three years from the communication date.

Furthermore, Article 12 of the ePrivacy Law provides for a retention period of five years from the date of request, or until the issuing of a final court decision applicable to traffic data, equipment identification data, and localization data when retention is requested by the court, criminal prosecution authority, or national security authority for preservation of evidence.

Law 363/2018 stipulates in Article 37 that the controller had the obligation to document all breach incidents and retain such records for a period of five years since notifying the supervisory authority.

In addition, according to Article 45, the operator shall be required to keep records of transfers for a period of ten years which shall, on request, be made available to the supervisory authority.

Accounting Law No. 82/1991 amended by Law No. 36/2023 and Order of the Ministry of Public Finance No. 2634/2015 regarding the financial-accounting documents amended by Order No. 1447/2023 (only available in Romanian here) expressly provide that:

• the mandatory accounting records and the supporting documents underlying the entries in the financial accounts shall be kept in the archives for five years from July 1 of the year following the end of the financial year in which they were drawn up, including for the payroll statements; and
• persons who use computerized automatic data processing systems shall be obliged to ensure that the data recorded in the accounts are processed in accordance with the applicable accounting regulations, checked, and stored on technical media for five years from July 1 of the year following the end of the financial year in which they were drawn up.

Law No. 16/1996 regarding the National Archives (only available in Romanian here), Annex 6, and Government Ordinance No. 905/2017 regarding the general register of employees' records (only available in Romanian here) provide for a term of 75 years from the date of creation for personnel files and similar work data.

Law No. 333/2003 for security protection provides for a term of two years from the date of the log creation for building access security logs. The law entails a retention period of 30 days from the date of collection for GPS monitoring records and CCTV footage.

Law No. 290/2004 concerning the criminal record provides for a retention period of six months from the date of collection for Criminal record check.

7.8. Children's data

No specific national requirements have been adopted, and therefore the standard age for consent under the GDPR applies, which is 16 years (Article 8 of the GDPR) in case of the services on information society. In case of other services, Romanian Civil Code rules shall apply, as per which:

• children under 14 years need consent of the legal guardian; and
• children between 14 and 18 years may consent alone or with the confirmation of their legal guardian, depending on the effects of the act to which they are consenting.

7.9. Special categories of personal data

Processing of genetic, biometric, or health data

The processing of genetic, biometric, or health data for the purpose of making a decision based on automated processing and profiling may only be carried out with the explicit consent of the data subject, or when this is required by an express legal provision, and with the implementation of suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.

Processing of special categories of data for reasons of substantial public interest

The processing of special categories of data, where such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, may only be carried out if the controller or the third party has implemented the following safeguards:

• technical and organizational measures to ensure that such processing is carried out in accordance with the principles set out in Article 5 of the GDPR, in particular, the data minimization as well as integrity and confidentiality principles;
• if necessary, a DPO has been appointed; and
• they have set up storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion.

Processing of special categories of data by political parties, national minorities organizations and non-governmental organizations

The processing of special categories of data by political parties, national minorities organizations, and non-governmental organizations may be carried out without the data subject's consent if the following safeguards have been implemented, including:

• technical and organizational measures to ensure that such processing is carried out in accordance with the principles set out in Article 5 of the GDPR, in particular, the data minimization and integrity and confidentiality principles;
• if necessary, a DPO has been appointed; and
• the setting up of storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion.

It should be noted that under Article 2 of the Law, performing tasks in the 'public interest' includes the activities of political parties or citizen organizations belonging to national minorities and any non-governmental organizations serving the fulfillment of the objectives provided by constitutional law or public international law or the functioning of the democratic system.

Processing of personal data under Law No. 363/2018

For processing of personal data under Law No. 363/2018 of 28 December 2018 (only available in Romanian here) ('Law No. 363/2018'), certain obligations have been provided, including:

• any normative act that establishes personal data processing activities for the prevention, detection, investigation, prosecution, and control of criminal offences or the execution of sanctions, education, and measures should at least stipulate:
  • the general context of the processing;
  • the personal data to be processed;
  • the purposes of the processing; and
  • the general and where appropriate, specific retention periods of personal data (such specific retentions periods being mandatory where):
    • personal data refers to minors;
    • special categories of personal data are processed; and
    • where the competent authority cannot determine the degree of accuracy of the processed personal data;
• the specific retention periods cannot be longer than half the general storage period established for the envisaged purpose of the processing;
• the obligation to inform the data subject of the identity and contact details of the competent authority, contact details of the DPO, the purposes for which the personal data is processed, and the competent authority's right to postpone/restrict/omit the provision of information to the data subject in certain cases;
• appropriate technical and organizational measures for the processing of personal data;
• the obligation for the competent authority to keep track of all categories of processing activities carried out under its responsibility; and
• the designation of a DPO.

7.10. Controller and processor contracts

No general local requirements exist in respect to contracts being concluded between a controller and processor. With respect to the controller-processor relationship, GDPR standards apply.

8. Data Subject Rights

No specific national requirements have been adopted in relation to data subject rights. However, public authorities falling under Law No. 363/2018 are allowed to answer data subjects' requests within an extended timeframe of 60 days and not one month as per GDPR.

8.1. Right to be informed

Law 363/2018 provides in Article 17 for specific derogations from the right to be informed if such a measure is necessary and proportionate in a democratic society in order to:

• avoid obstruction of the proper conduct of criminal investigations;
• avoid prejudicing the prevention, discovery, investigation, prosecution, and combating of criminal offences or the execution of penalties;
• for reasons of public order and safety;
• for national security reasons; or
• protect the rights and freedoms of other persons.

Nevertheless, the data subject is still entitled to be informed with respect to the processing categories not affecting the above-mentioned situations. Furthermore, the data subject shall be informed of the reason behind such measure (unless such disclosure affects the processing entailed above) and of the right to make a complaint with the supervising authority or the relevant court.

8.2. Right to access

No national variations. The GDPR definition applies.

8.3. Right to rectification

No national variations. The GDPR definition applies.

8.4. Right to erasure

No national variations. The GDPR definition applies.

8.5. Right to object/opt-out

No national variations. The GDPR definition applies.

8.6. Right to data portability

No national variations. The GDPR definition applies.

8.7. Right not to be subject to automated decision-making

No national variations. The GDPR definition applies.

8.8. Other rights

No national variations. The GDPR definition applies.

9. Penalties

The sanctioning regime of the ANSPDCP whenever an infringement of the GDPR or national legislation occurs, has been established by both the Law and the ANSPDCP Law.

Sanctioning regime under ANSPDCP Law

The administrative sanctions that the ANSPDCP may impose for infringements of the GDPR or national legislation are:

• a warning; and
• an administrative fine.

These sanctions may be imposed by the ANSPDCP within three years from the date when the infringement occurred. However, such term will be interrupted if any legal proceeding has been carried out by the ANSPDCP, without exceeding a maximum term of four years. Where infringements occur continuously or are the result of actions or inactions, that have occurred at different time intervals, based on the same resolution, yet each one of them has been carried out in the context of the same offence, such term will start from:

• the data of the discovery; or
• from the date of cessation of the last action, if this moment occurs prior to the discovery.

When the amount of the fine exceeds €300,000, the fine will be applied only through a decision of the Chairman of ANSPDCP.

Furthermore, corrective measures can be applied either by decisions of the ANSPDCP or by the minutes issued by the ANSDPCP's representatives. However, certain corrective measures, for example, temporary or definitive limitation on processing, rectification, or erasure of personal data, restriction of processing, can only be applied by decisions of the ANSPDCP.

Notably, the imposed sanctions or corrective measures can be challenged within 15 days from the date when the minutes or decision was communicated or handed over, before the competent tribunal. The court's judgement can only be appealed before the competent court of appeal. The challenge will only suspend the payment obligation until a definitive judgement has been pronounced. Any applied fine must be paid within 15 days from the date when the minutes or decision was communicated or handed over.

In the event of non-compliance with the measures ordered, or in the case of a tacit or express refusal to provide all the information and documents requested in the investigation, or in the case of a refusal to carry out the investigation, the ANSPDCP may impose by decision a fine of up to RON 3,000 (approx. $651) for each day of delay, calculated from the date set by the decision.

With regards to complaints submitted or investigations started prior to May 25, 2018, which are currently pending to this date, the ANSPDCP will impose fines according to the provisions applicable at the time the infringement occurred, if the fines imposed by the GDPR higher.

Sanctioning regime under Law No. 363/2018

The rules by which public authorities and bodies are sanctioned are different than any other entity. As such, any infringement of the GDPR or national legislation by public authorities and bodies will first be sanctioned with a warning and a remedy plan will be imposed by the ANSPDCP, which will also set a remedy term.

If within ten days of the ending of the remedy term, the public authority or body fails to fulfil the measures set out in the remedy plan, then the ANSPDCP may impose pecuniary sanctions. Under the provisions of Law No. 363/2018, the competent authority may be granted an extension on the remedy term for up to 30 days.

Nonetheless, the administrative fines in such cases are capped at a maximum of RON 200,000 (approx. $43,408).

As regards private entities or individuals, such provisions have not been regulated. Therefore, such entities may be sanctioned directly with a fine within the limits set out in the GDPR, depending on the seriousness and the consequences of the infringement.

Sanctioning regime under Law 362/2018 on ensuring a high common level of security of networks and information systems

The sanctioning regime pertaining to essential service providers entails special provisions as well. Hence, prior to imposing a sanction for infringement of any obligation under the Essential Services Law or any act issued by the DNSC, the auditing body shall notify the essential service provider in default communicating the infringement, the mandatory measures to be implemented, the deadline and the potential sanction if the provider does not comply.

Therefore, subject to the nature of the infringement, the administrative fines fall between RON 3,000 (approx. $651) and RON 50,000 (approx. $10,852) with up to RON 100,000 (approx. $21,704) for repeated infringements.

Furthermore, undertakings with a turnover exceeding RON 2 million (approx. $434,084) are subject to administrative fines between 0.5% and 2% of the turnover, with up to 5% of the turnover for repeated infringements.

Sanctioning regime under Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector

The rules by which providers of electronic communications are sanctioned also have their regime. In this regard, for infringements of the provisions stipulated in Law No. 506/2004, the administrative fines range between RON 5,000 (approx. $1,085) and RON 100,000 (approx. $21,704).

In addition, undertakings with a turnover exceeding RON 5 million (approx. $1.08 million) are subject to administrative fines up to 2% of the turnover.

Furthermore, ANSPDCP can also apply penalty fines per day for up to RON 5,000 (approx. $1,085) for lack of notification of a security breach to the data subject.

9.1 Enforcement decisions

Since the GDPR entered into force, the ANSPDCP has issued numerous enforcement decisions for failure to comply with the GDPR requirements. Amongst these, we note that the ANSPDCP has applied over 59 administrative fines exceeding, in aggregate, €681,175.

Please find below a summary of the most notable sanctioning decisions issued by the ANSPDCP:

• Banca Transilvania S.A. was fined €100,000 for disclosure in the public space (online) of the statement requested by the controller from a customer about how he intended to use a certain amount of money that he wanted to withdraw from his account. This statement was distributed among several employees of Banca Transilvania on work email addresses. One of the employees listed the e-mail containing the customer's statement, as well as the email containing the internal conversation between the bank's employees. Another employee photographed the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on Facebook and on a website. The violations found are as follows:
  • lack of sufficient measures to ensure that any natural person acting under the authority of the bank who has access to personal data only processes them at the request of the controller; and
  • ineffectiveness of the internal training of the bank's employees regarding the observance of the personal data protection norms of the data subjects.

In the civil decision, the Court of Appeal held that the casualty with which Banca Transilvania employees acted, transmitting the personal data of the bank's client to one another and third parties, attests to the ignorance of work procedures regarding the processing of personal data, but also importantly their inability to identify and qualify the data they had access to as personal data, which indicated an acute lack of effective training. Moreover, the Court stated that the ANSPDCP was correct in qualifying the seriousness of the amount of personal data disseminated by bank employees, their sensitive nature, the manner of dissemination, noting the extremely large number of people who gained access to the bank's customer data for an indefinite period of time. Along similar lines, the Court provided that the ANSPDCP properly capitalized on the criteria provided in Article 83(2) (c) to (k) of the GDPR, noting that this was evidenced by the examination of the criteria, the fine which was much lower than the maximum available, and the detailed analysis performed.

• Romania Mobile Communications S.A. was fined €10,000 for violation of Article 32(1) and (2) of the GDPR and €3,000 for failing to take appropriate security measures to ensure the security of the processing of the personal data. The fine was issued because of Telekom Romania's failure to implement adequate security measures. Such failure led to, among other things, the unauthorized disclosure of data of 99,210 data subjects, including their customer ID, sex, and telephone number, as well as unauthorized access to personal data stored in the accounts of 413 customers.
• UniCredit Bank S.A was fined €130,000 for a breach of Article 25(1) of the GDPR relating to the principles of Data Protection by Design and by Default. The fine was issued as a result of the failure to implement appropriate technical and organizational measures which resulted in the online disclosure of the IDs and addresses of over 300,000 data subjects (only available in Romanian here).
• ING Bank N.V. Amsterdam – Bucharest Branch was fined €80,000 for insufficient technical and organizational measures to ensure information security. The ANSPDCP found that the credit institution failed to implement adequate measures for its automated data processing system during the settlement process of card transactions, resulting in double transactions being executed. The non-conformity affected over 220,000 customers (only available in Romanian here).
• Raiffeisen Bank S.A. and Vreau Credit S.R.L. were fined €170,000 (€150,000 Raiffeisen Bank SA and €20,000 Vreau Credit S.R.L.) for violations of Article 32 of the GDPR (insufficient technical and organizational measures to ensure information security). The ANSPDCP found that two employees of Raiffeisen Bank S.A. received from employees of Vreau Credit S.R.L., through the WhatsApp mobile application, copies of IDs of natural persons (potential clients of Vreau Credit S.R.L.). The employees of Raiffeisen Bank S.A. performed scoring simulations through the computer application used by Raiffeisen Bank S.A. in the crediting activity and the result of the credit scores was communicated back to the employees of Vreau Credit S.R.L., with the infringement of the internal procedures. The authority found that 1,194 simulations were performed, with 1,177 individuals being affected (only available in Romanian here).
• CNTAR TAROM S.A. was fined €15,000 for failure to take appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) of the GDPR). The breach resulted in an employee having unauthorized access to the booking application and being able to photograph a list with the personal data of 22 passengers/customers and disclose this list on the internet (only available in Romanian here).
• World Trade Center Bucharest S.A. was fined €15,000 for breach of Article 32(1) of the GDPR relating to security for the processing of personal data. The breach consisted of the failure to take steps to ensure that data is not disclosed to unauthorized persons. In the case at hand, a printed paper list used for the breakfast check-in of the customers staying at the hotel (i.e. containing the personal data of 46 customers) was photographed by unauthorized people outside the company. The photographed list was then disclosed in an online publication (only available in Romanian here).
• Telekom Romania Communications was fined €6,000 for violations of Articles 5(1)(d) and (f), 5(2) and 17 of the GDPR. The ANSPDCP found that Telekom had erroneously collected and processed certain inaccurate personal data, which had also led to the unlawful disclosure of personal data to another natural person, in breach of the principles of processing of personal data, enshrined in Articles 5(1)(d) and (f) and 5(2) of the GDPR. In addition, the ANSPDCP stated that, during the investigation, it was also found that Telekom had not taken the necessary measures to comply with the erasure request made in accordance with Article 17 of the GDPR (only available in Romanian here).
• MEDLIFE S.A. was fined €5,000 for violations of Article 32 para. (1) (b), para. (2) and para. (4) of the GDPR. In particular, ANSPDCP highlighted that MEDFLIFE did not implement adequate technical and organizational measures to ensure a level of confidentiality and security appropriate to the risk presented by the processing, which led to the unlawful access or disclosure of personal data of MEDLIFE's own clients (name, surname, CNP, medical service received, medical analysis carried out, amount paid, bank account) and of its employees (advance salary), during July 2020 - August 2020. Although the controller was obliged to take measures to ensure that any natural person acting under its authority and having access to personal data does not process them except at the request of the controller, it was found that it did not take the necessary measures (only available in Romanian here).
• ING Bank N.V. Amsterdam Sucursala București was fined €20,000 for violations of Articles 32(1) and (2) of the GDPR. The ANSPDCP stated that the security incident had involved the disclosure and access of ING Bank customer personal data without prior authorization. Specifically, the ANSPDCP indicated that the categories of accessed personal data included identification data associated with identity documents, contact details, banking data (transactions and products owned, data associated with the card), and online banking usernames and passwords. Notably, the ANSPDCP explained that this incident had resulted in the execution of payment operations by third parties. As a result of its investigation, the ANSPDCP found that ING Bank had not implemented adequate technical and organizational measures in order to ensure a level of security corresponding to the risk for the rights and freedoms of natural persons, which had resulted in the unauthorized disclosure and access to the personal data of ING Bank's customers (only available in Romanian here).

According to an ANSPDCP press release, regarding the activity of representation before Romanian Courts, of the disputes challenging the sanctions/measures applied by the authority, by March 31, 2023, 23 cases have been finalized and, in 18 of these cases, final decisions have been rendered in favor of the ANSPDCP (only available in Romanian here).