Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Romania: Data Protection in the Financial Sector

sankai / Signature collection / istockphoto.com

1. Governing Texts

1.1. Legislation

As in any other country in the EU, the financial sector is one of the most regulated sectors in Romania. One of the many reasons for this is that the financial sector is highly data-driven, processing a large amount of data belonging to private individuals on a daily basis. The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') allows for administrative fines which can amount to a maximum of €20 million or 4% of the global annual turnover of a company but other measures such as ceasing of the processing activity, ordered by the National Supervisory Authority for Personal Data Processing ('ANSPDCP'), or the loss of image and reputation may be even more damaging. Moreover, many banks and other financial services institutions in Romania such as non-banking financial institutions, credit card issuers and insurance companies, have been thrown off by the complexity of the GDPR which entered into force on 25 May 2018. In the financial sector, the GDPR protects sensitive personal data of customers and employees, requires banks to analyse their internal processes, systems, and organisational structure, leading to major changes in the technical conceptual design and in defining technical details.

As the financial industry is moving more and more towards digitalisation, privacy in the telecommunications or electronic communications sectors will also be relevant for companies active in these sectors.

The following EU legislation, among others, is applicable:

The European Data Protection Board ('EDPB') has issued the following relevant Opinion:

The Article 29 Working Party ('WP29') has issued the following relevant guidance:

The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:

In addition to the provisions of the GDPR, Romanian entities active in the financial sector must abide by the provisions of national law containing measures for application of the GDPR. Thus, Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('the GDPR Implementation Law') has laid down certain measures for implementing the GDPR, including in cases of processing national identifiers such as the personal numeric code or series and identity card numbers, especially when based on legitimate interest. Processing of such data requires additional guarantees to safeguard lawful processing and requires the appointment of a data protection officer.

In accordance with the possibility granted under the GDPR, in 2018 the Romanian Association of Banks and the Romanian Banking Patronage Council adopted a new code of conduct applicable to the banking industry, which builds on the fundamental principles of reciprocity, trust, non-discrimination, competency and professionalism, respect for the law and professional ethics, confidentiality and protection of personal data.

Taking its supervisory and regulatory role very seriously, the ANSPDCP has issued a number of decisions that are aimed at bringing more light to the application of the GDPR and the Law. For example, the ANSPDCP enacted Decision No. 99/2018 (only available in Romanian here) which allowed for further GDPR implementation measures to be adopted into Romanian law, repealing 17 regulations issued by the Romanian Ombudsman between 2002 and 2015, which at that time allowed for the implementation of the Data Protection Directive (Directive 95/46/EC). Subsequently, the GDPR implementation by the ANSPDCP includes Decision No. 128/2018 approving the GDPR personal data breach notice form (only available in Romanian here) and Decision No. 133/2018 approving the GDPR complaints procedure applicable with the ANSPDCP (only available in Romanian here) ('Decision No. 133'). Decision No. 133 allows a data subject to draft a complaint in either Romanian or English for submission to the ANSPDCP in relation to an alleged breach of the GDPR. This is a significant step forward in comparison with the previous procedures available for complaints to public authorities, which had to be submitted in Romanian only.

Recently, the ANSPDCP applied the first financial sanction based on GDPR provisions to a banking entity. The sanctioned company is Unicredit Bank S.A., one of the largest local banks. The investigation, completed on 26 June 2019 by the ANSPDCP, concluded that Unicredit had breached Article 25(1) of the GDPR regarding the implementation of privacy by design and by default, for which a fine of RON 613,912 (approx. €126,400) was imposed.

In particular, the sanction was imposed by the ANSPDCP pursuant to an investigation which started on 22 November 2018, indicating that the data concerning the personal identification number and the addresses of the persons performing payments to Unicredit via online transactions were disclosed to the beneficiary of the transaction through the account statement affecting 337,042 of data subjects between 25 May 2018 and 10 December 2018.

According to Article 5(1)(c) of the GDPR concerning the principles relating to the processing of personal data, Unicredit had the obligation to process such data only for the intended purposes and to secure the data protection upon commencement of processing, by designing appropriate technical and organisational measures. Furthermore, the ANSPDCP considered that Unicredit should also have taken Recital 78 of the GDPR into account.

When tackling the issue of data protection and privacy in the financial sector, it should be noted that data protection is intertwined with anti-money laundering ('AML') regulations. Law No. 129/2019 on the Prevention and Combating of Money Laundering and Terrorism Financing (only available in Romanian here) ('the AML/CFT Law') includes the principle that any AML assessment should be conducted ensuring the security of personal data. The AML/CFT Law requires that private legal entities and fiduciaries registered in Romania obtain and have adequate, accurate and up-to-date information about their real beneficiary, including the manner in which this quality is achieved, and to provide this information for review to supervisory authorities upon request. Access to the central registry set up under the AML/CFT Law is to be made by observing data protection rules e.g. the limited scope of use of the information accessed based on the 'need to know' principle.

Another regulation impacting data protection and privacy is the Emergency Ordinance No. 99/2006 on Credit Institutions and Capital Adequacy (only available in Romanian here) ('the Emergency Ordinance').

In addition, entities in the financial sector must also abide by the following regulations:

  • the National Bank of Romania ('BNR'), for purposes of Know Your Customer ('KYC') regulations such as the BNR Regulation 9/2008 regarding the Awareness of Client's Profile to prevent Money Laundering and Financing of Terrorism (only available in Romanian here);
  • BNR Regulation 5/2013 on Prudential Requirements for Credit Institutions (only available in Romanian here) ('the Credit Institutions Regulation'); and
  • anti-bribery regulations.

Further to the above, banks are subject to internal rules such as bank's group reporting for International Financial Reporting Standards ('IFRS'), credit provisioning and risk provisioning, among other things.

1.2. Supervisory authorities

The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.

The ANSPDCP had supervisory powers before the GDPR and continues to act as the supervisory authority under GDPR.

However, the data governance framework in Romania, relevant to entities in the financial sector, will also involve abiding by procedures imposed, inter alia, by the following regulatory bodies:

2. Personal and Financial Data Management

A banking or financial relationship is based on trust. Therefore, employees in the financial sector are required to carry out their activities in good faith, according to honest practices, and consider the interests of all parties involved. They will abide by the financial sector regulations and professional ethics rules. Particularly, for GDPR purposes, employees having access to and processing of personal data must partake in the initial and continuous training (workshops, e-learning, etc.) on data protection and privacy issues ensuring that they are aware of the importance and risk of their activities and that they will apply the principle of lawful processing of data.

It is worth mentioning, at this point, that pursuant to Article 33(4) of the AML/CFT Law, the professional secrecy and banking secrecy to which the reporting entities are held shall not be binding upon the ONPCSB.

2.1. Legal basis for processing

Under the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency. In addition, processing shall only be lawful if (Article 6(1) of the GDPR):

  • the data subject has given consent to the processing for one or more specific purpose;
  • the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of a data subject prior to entering a contract;
  • the processing is necessary for the compliance with a legal obligation to which the controller is subject;
  • processing is necessary to for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Moreover, under Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) applies.

In most cases, financial institutions will process personal data in order to fulfil their duties under a contract with the data subject, such as an account agreement, loan contract or insurance policy or because they have a legal obligation to do so. Provided that the processing is necessary for this purpose, no further legitimating is needed.

For processing operations that are not required for the performance of an agreement, institutions need another legitimate basis, such as the data subject’s consent. Such consent must be freely given, specific, informed and unambiguous. This requires that adequate information must be provided, in particular regarding the right to withdraw consent. Consent must also be specific to each processing operation. Therefore, institutions may not rely on broad terms and conditions or blanket consent declarations, rather, they will have to request the individual's consent for each specific type of financial operation. In addition, services must not be made conditional to consent, unless the processing of the data is essential for the service.

For financial institutions, this means evaluating the legitimate basis for their data processing operations, involving verification of existing contracts, terms and conditions, notices and template agreements.

Although it is the most flexible legal basis, the legitimate interest basis must not be abused.

Specific examples of the use of legitimate interest by financial institutions are:

  • fraud and financial crime detection and prevention;
  • AML watch-lists;
  • KYC;
  • credit checks and risk assessments;
  • politically exposed persons;
  • financing of terrorism detection and prevention; and
  • anti-fraud purpose e.g. using information gathered from various sources, such as public directories and publicly available online personal or professional profiles, to check identities when purchases are deemed as potentially fraudulent; and
  • defending claims e.g. sharing CCTV images for insurance purposes.

2.2. Privacy notices and policies

The GDPR establishes the principle of transparency (Article 5 of the GDPR). In addition, when data is being processed, information on the controller, purposes for processing, recipients of the data, retention period, and details of the data subject's rights shall be provided to the data subject (Article 13 of the GDPR).

There are no sector-specific requirements, however, financial institutions are required to provide customers with notice of the institution's privacy policies and practices by making them available to the customers via their websites, in-person during a physical meeting at the bank front desk, as well as posting this at reception. As a matter of best practice, banks will make a reference to their data protection policy and applicable privacy notice in their standard business terms and conditions, which must be made available under Law No. 363/2007 of 21 December 2007 (only available in Romanian here).

2.3. Data security and risk management

Taking into account the costs of implementation, nature, scope, context and purposes of the processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).

In case of financial institutions, technical and organisations measures consist ,inter alia, in:

  • pseudonymisation, defined as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. One example of pseudonymisation would be replacing someone’s name with a random ID number;
  • capacity to ensure confidentiality, integrity, availability and continuous resilience of systems and processing services;
  • capacity to restore data availability and access to those in real-time where a physical or technical breach has occurred;
  • a process for testing, evaluating and regular and efficient appraisal of technical and organisational measures in order to guarantee the security of processing; and
  • data loss prevention systems.

2.4. Data retention/record keeping

Personal data must not be retained in a form that permits the identification of the data subject for longer than is necessary for the purposes the data was processed (Article 5(1)(e) of the GDPR). Moreover, the period for which the personal data are stored should be limited to a strict minimum, and to these ends, time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).

According to the current applicable regulations, data (including copies of identification documents, justification documents, etc.) must be stored for five years after the end of a relationship with a client/the performance of an occasional transaction. Minutes of AML/CFT committees shall be stored for 90 years, documents prepared for AML/CFT committees, suspicious transactions reports, cash & international transfers threshold reports, correspondence with different state authorities, periodic (annual) reports to the BNR and periodical reports to the board of administration of the BNR shall be kept for ten years.

Management decisions will be kept permanently, internal control reports must be kept for five years, and training lists must be kept for four years.

3. Financial Reporting and Money Laundering

Collection, processing, storage, and transfer of data would generally follow applicable European regulations and directives. A few new changes have been brought by the AML/CFT Law which are worth mentioning:

  • according to Article 7(1) of the AML/CFT Law, the reporting entities have the obligation to report to ONPCSB, transactions in cash, in RON or in foreign currencies that exceed €10,000, unlike the old legal text which provided for this obligation only in the case of transactions that exceeded €15,000. The reporting entities have the obligation to transmit the reports to ONPCSB only by electronic means, therefore technical and organisational measures relevant to electronic communications must be secured. Article 33(4) of the AML/CFT Law provides that the professional secrecy and banking secrecy to which the reporting entities are held shall not be binding upon the ONPCSB; and
  • according to Article 13(1)(c) of the AML/CFT Law, reporting entities have the obligation to apply standard KYC measures in the case of persons who trade goods as professionals when making occasional cash transactions of at least €10,000, irrespective of whether the transaction is carried out through a single operation or through several interconnected operations, reducing the cap from the previously regulated amount of €15,000.

4. Banking Secrecy and Confidentiality

Banking secrecy and confidentiality provisions are included in the Emergency Ordinance which requires banks to preserve confidentiality over facts, data and information regarding the activity carried out as well as on any fact, data or information in its possession, in regard of the client’s person, property, activity, business, personal or business relations or information regarding the client’s accounts (balance, movements, operations), services rendered, and contracts concluded with the client.

Banking secrets may be disclosed, to the extent that this is justified by the scope for which this is required and only in very limited situations as follows:

  • upon request of the account holder or his/her heirs, including legal representatives;
  • where the credit institution can justify a legitimate interest;
  • upon written request from authorities or institutions or ex officio, where such authorities or institutions are entitled by law to ask and receive such information and the information to be disclosed is clearly defined;
  • upon written request of the spouse of the account holder, when proof is given that he/she entered a court claim for division of the common assets, or upon the court request;
  • upon the request of a court, in view of resolving court cases;
  • upon the request of a court bailiff, in view of enforced execution, regarding the existence of debtors’ accounts; and
  • upon the request of a public notary, within the formalities of succession.

The regulations regarding banking secrecy and data protection will also apply to loan transfer operations. From this perspective, the bank’s obligations are:

  • to obtain consent from the data subjects, in particular, if sensitive data are concerned (in case this consent was not already obtained under finance documentation). Such formality could be waived in cases where the bank invokes legitimate interest substantiating the disclosure; and
  • to inform the data subject with the minimum required information under the GDPR.

5. Insurance

According to Article 25(6) of Law No. 237/2015 on the Authorisation and Supervision of Insurance and Reinsurance Activities (only available in Romanian here), companies shall only use the personal data of contractors, including fiscal identification codes, for the purpose of contract management or claims handling of the files in compliance with the GDPR Implementation Law. According to Article 34 of the Law No. 236/2018 on the Insurance Distribution (only available in Romanian here), the following conditions shall be applicable for the processing of personal data:

  • communications and information on personal data shall be made in accordance with the legal provisions; and
  • distributors shall use the personal data of their clients in compliance with the applicable law on the collection and processing of personal data and the free movement of such data.

6. Payment Services

PSD2 provide new rules to ensure legal certainty for consumers, merchants and companies within the payment chain and modernizing the legal framework for the market for payment services. It sets regulatory requirements for payment services providers (banks and other payment institutions and third party services providers), increasing requirements for the security of payment services by imposing rules and boundaries for access to the personal data of user of electronic payments services.

PSD2 has been transposed into law with some delay in Romania, through Law No. 209/2019 regarding Payment Services and for the Modification of Other Acts (only available in Romanian here) ('the Romanian Payment Services Law'), which came into force on 13 December 2019.

The Romanian Payment Services Law contains provisions that essentially mirror the provisions included within PSD2. It provides that processing of personal data may only be made by observing the legal provisions regulating the protection and security of personal data. For example, PSD2 provides for the standards that define requirements for a strong authentication of a client as well as for the cases where the payment services providers are exempted from such requirements. Other requirements such as explicit consent for data processing from the payment services user, the specified processing purpose, conditions for data transfers, and other data protection and security principles are standard for the European legal framework regarding data protection, including in case of breach of data protection and security, and must be implemented equally when applying PSD2.  The competent authority for reporting security incidents under the Romanian Payment Services Law is the BNR. The BNR is granted the authorisation to process any relevant information and data, including personal data, for the purpose of exercising its prudential monitoring of payment services providers in view of preventing, investigating and detection of payment fraud; however, the Consumer Protection Authority ('ANPC'), the Competition Council and the ANSPDCP also have competencies in ensuring that the law is correctly applied.

In line with PSD2, under the Romanian Payment Services Law, payment institutions may provide operational services ancillary to payment services, consisting of retaining or storing, and processing personal data of customers.

As financial institutions have to work with both the PSD2 and GDPR, there seems to be a conflict between the two, with the local banking industry working on how to standardise the way account data is accessed by third-party providers and protect it against fraud and payment incidents, as well as to implement compliance with the regulatory technical standards. The provisions of the  European Data Protection Board'Guidelines 06/2020 on the interplay of the PSD2 and the GDPR ('the EDPB Guidelines'), published on 15 December 2020 provide further guidance and clarification on data protection aspects in the context of the PSD2 and payment institutions must further comply with such guidelines, and generally with the GDPR, in order to reach an adequate degree of security in processing of personal data within the framework of electronic payments. For example, it is made clear by the EDPB Guidelines that explicit consent under the PSD2 is different from (explicit) consent under the GDPR. 'Explicit consent' referred to in Article 94 (2) PSD2 is a contractual consent. Particular emphasis is given under the EDPB Guidelines to the conditions under which Account Servicing Payment Service Providers ('ASPSPs') grant access to payment account information to Payment Initiation Service Providers ('PISPs') and AISPs (as such terms are provided under the EDPB Guidelines), especially granular access to payment accounts. The EDPB Guidelines also address the processing of 'silent party data', the processing of special categories of personal data by PISPs and AISPs, minimisation, security, transparency, accountability and profiling etc.

There are no sector-specific requirements in Romania relating to the transfer of personal data by financial institutions or their use of third parties/cloud computing.

7. Data Transfers and Outsourcing

See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.

Additionally, the Credit Institutions Regulation establishes a few requirements regarding conditions of outsourcing by a bank and the content of a bank outsourcing contract. Thus, the bank outsourcing contract should be inclusive of provisions regarding the protection of confidential information, processing thereof and maintaining of bank secrecy by the external provider, to the same extent as the outsourcing bank.

Cloud computing is seen as a form of outsourcing and thus, it will follow the same regime under the Credit Institutions Regulation.

8. Breach Notification

As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.

Apart from the standard requirements imposed by the GDPR, within the Romanian banking sector, there are several institutions which must be notified in case of an IT or security incident, including the BNR and the Ministry of Telecommunications. Depending on the type of incident, different suppliers, such as card system providers e.g. Visa, MasterCard and Swift, etc. must be involved. Under the GDPR, a timeframe of 72 hours is applicable to notify the local authority, however under other regulations i.e. PSD2 there is a shorter deadline of four hours.

Based on the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), in case of a security incident, the providers of financial services i.e. suppliers of critical services or economic activities must notify the ANSPDCP or the competent computer security incident response team without any delay.

Apart from the different timeframe, another difference is the assessment of the significance of an incident or breach. Under PSD2, only major operational or security incidents would require notification under the European Banking Authority's Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) which sets out clear criteria and threshold levels), whereas under the NIS Directive, incidents are only required to be reported where they have a significant impact on the continuity of essential services or on the trust of the service provided or personal data maintained therein, respectively.

9. Fintech

At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018 the European Commission adopted an Action Plan on FinTech in addition to publishing discussion papers on the same. Further to this, in September 2020, the European Commission followed up on this with a 2020 Action plan on fintech including a strategy on an integrated EU payments market. The plan and strategy were included in the European Commission's digital finance package. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework.

Currently, there are no sector-specific requirements or restrictions in regard of FinTech companies in Romania as there is no specific legal framework for the fintech business.

With the continuous innovation in the sector, the fintech companies' features must be carefully assessed in view of their 'go live' as there may be specific applicable regulatory requirements, authorisations or licenses.

A new regulation on distributed ledger technologies is expected to be enacted soon, hopefully in 2021.  

In view of the same features deriving from the novelty of the technologies used, the FinTech sector needs to be carefully assessed to ensure avoidance of exposure of users' data and funds, especially where such features are aimed at escaping traditional requirements for banks and other financial institutions. Particularly, the principles of Privacy by Design and Privacy by Default become relevant when a FinTech product is created. Last but not least, since a FinTech technology will customarily use the national identifier of the user (the Personal Identification Number ('PIN')) because of requirements in the field of AML and KYC, or evaluating a user behaviour, or using user's biometric data such as imprint for logging in purposes, compliance with GDPR is of utmost importance for FinTech companies.

Of course, even though there are no specific restrictions or prohibition for the FinTech sector, other generally applicable regulatory requirements in the financial sector such as NIS Directive, AML, KYC, IP rights protection would apply.    

10. Enforcement

The GDPR provides for administrative fines of up to (Article 83 of the GDPR):

  • €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
  • €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.

Failure to comply with banking secrecy or AML provisions may lead to civil, disciplinary or administrative liability. In some cases, the failure will be deemed, depending on the circumstances as a minor offence or a criminal offence. For example, obstructing the control, including the refusal to provide the requested information to control bodies, or the initiation of business relationships by non-compliance with the AML provisions will be deemed a minor offence if the action does not constitute a more severe crime. Apart from this, complementary measures may be decided by the control bodies such as withdrawal of the license, suspension of business activity for a period between one and six months and even closing of the activity.

The AML/CFT Law establishes that personal use of confidential employees by employees of reporting entities constitutes a criminal offence and is punishable by imprisonment from six months to three years or by a fine if the action does not constitute a more severe crime. The same penalty also applies to the reporting entities, management, administration and control bodies of the company, managers and employees of their entities who fail to comply with the obligation to not transmit, unless provided by the law, the information held in connection with money laundering and financing of terrorism and to not disclose to the targeted customers or to third parties that the information is being, has been or will be transmitted in accordance with Articles 6 and 9(1) of the AML/CFT Law or that an analysis of money laundering or financing of terrorism is in progress or could be carried out.

The AML/CFT Law provides for increased fines for legal entities. Thus, a series of minor offences by legal persons will be sanctioned at a maximum of approx. €30,000. However, the maximum fine in each case shall be increased by 10% of the total revenues of the preceding fiscal period prior to the date the report of finding and sanctioning the contravention was drawn up.

In the case of banking secrecy, the sanctioning system is quite similar. For example, in the case of infringing legal entities, the fine may be up to 10% of the total net value of the turnover in the preceding year. However, additional measures that may be decided include the withdrawal of license and suspension of voting rights for shareholders.

11. Additional Areas of Interest

Not applicable. 


Marta Popa Senior Partner
[email protected]
Voicu & Filipescu, Bucharest

Feedback