Support Centre



Law: Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('the Law') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: National Supervisory Authority for Personal Data Processing ('ANSPDCP')

Summary: The GDPR was implemented in Romania in 2018 through the Law. The Law is relatively comprehensive and includes, in particular, detailed provisions on the processing of data for journalistic purposes or academic or artistic expressions, on certification bodies, and on corrective measures and sanctions for both private and public bodies. Under the Law, the ANSPDCP is the competent supervisory authority for data protection matters. The ANSPDCP is an active regulator that has released a dedicated GDPR resource centre for organisations.


Spanning a long history, whistleblowing is widely regarded as a practical way to detect, investigate, and eventually prosecute a breach of law which, without the input of a whistleblower, risks going undetected. As until 2022, only the public sector was regulated with regard to whistleblowers, private sector companies aiming to implement such mechanisms having no other option but to draw on and apply the (sometimes inappropriate) provisions of the law applicable to the public sector.

Bringing confusion to a halt, at the end of last year, on 22 December 2022, Law No. 361/2022 on the protection of public whistleblowers ('the Whistleblowing Law') finally came into force in Romania, transposing Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'). Iulian Popescu, Oana Lupu, and Alexandra Moldovanu, from Muşat & Asociaţii, summarise key provisions under the Whistleblowing Law and analyse its intersections with data protection.