Data Privacy Comparative Guide –

Data Privacy Comparative Guide –


To print this article, all you need is to be registered or login on Mondaq.com.

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data
privacy in your jurisdiction?

The Romanian privacy provisions are aligned with the applicable
EU law. The main statute in this regard is the EU General Data
Protection Regulation (2016/679) (GDPR). Its direct applicability
is supplemented by Law 190/2018 on measures implementing the GDPR.
The EU e-Privacy Directive (2002/58/EC) has been transposed into
national law through Law 506/2004 on the processing of personal
data in the electronic communications sector. Moreover, at the
national level, specific privacy matters on e-commerce matters are
regulated by Law 365/2002 on e-commerce, which transposed the EU
E-commerce Directive (2000/31/EC) into national law.

With respect to the processing of personal data in criminal
matters, Law 363/2018 on the protection of individuals with regard
to the processing of personal data by competent authorities for the
purposes of prevention, detection, investigation, prosecution of
criminal activities or the execution of criminal convictions, as
well as on the free movement of such data, will apply.

1.2 Do any special regimes apply in specific sectors (eg,
banking, insurance, telecommunications, healthcare, advertising) or
to specific data types (eg, biometric data)?

Romanian law does not provide for specific requirements on data
privacy matters in a particular sector. However, the national legal
framework sets out additional requirements that apply to particular
cases, such as the following:

  • It is forbidden to send commercial communications by email,
    except where the data subject has expressly consented to receive
    such communications (Article 6(1) of Law 365/2002).

  • The processing of genetic, biometric or health data for
    automated decision making or profiling purposes is permitted:

    • with the explicit consent of the data subject; or

    • if the processing is carried out pursuant to express legal
      provisions, with the establishment of appropriate measures to
      protect the rights, freedoms and legitimate interests of the data
      subject (Article 3, para (1) of Law 190/2018).


  • Where consumers conclude contracts with professionals, the
    consumer protection provisions outlined in Emergency Ordinance
    34/2014 – which transposed EU Directive 2019/2161 –
    will apply. Thus, any distance contract under which a trader
    provides the consumer with digital content or a digital service,
    where the consumer is not obliged to pay a price but is required to
    provide personal data, will fall under the legal requirements of
    the emergency ordinance, as long as the personal data is processed
    on another legal basis than performance of a contract or compliance
    of the trader with a legal obligation.

1.3 Do any bilateral and multilateral instruments on data
privacy have effect in your jurisdiction?

Not applicable.

1.4 Which bodies are responsible for enforcing the data privacy
legislation in your jurisdiction? What powers do they have?

The national authority responsible for enforcing the data
privacy legislation is the National Supervisory Authority for
Personal Data Processing (ANSPDCP). As provided in the
ANSPDCP’s law of establishment, its objective is to protect the
fundamental rights and freedoms of natural persons – in
particular, their right to privacy in relation to the processing of
personal data and the free movement of such data.

The ANSPDCP can carry out investigations with respect to
entities’ compliance with privacy matters (including dawn raids
at their premises). The ANSPDCP also handles complaints filed by
natural persons with respect to privacy matters, especially where
such complaints involve the illegal processing of personal data by
controllers. Moreover, the ANSPDCP has:

  • corrective powers as set out under Article 58 of the GPDR;
    and

  • the right to apply administrative fines as per Article 83 of
    the GDPR.

With respect to Law 506/2004 and Law 365/2002, some of the legal
provisions are also observed by the National Authority for
Management and Regulation in Communications of Romania.

1.5 What role do industry standards or best practices play in
terms of compliance and regulatory enforcement?

In terms of industry standards and best practices, the ANSPDCP
has not yet been requested to recognise any codes of conduct. On 24
June 2021, the ANSPDCP issued a decision on the approval of
additional requirements for the accreditation of certification
bodies; but no such certification bodies have as yet been
accredited.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in
your jurisdiction?

The data privacy legal framework applies to all entities that
process personal data or are directly involved in activities
concerning the processing of personal data.

2.2 What exemptions from the data privacy regime, if any, are
available in your jurisdiction?

As per Article 2 of the EU General Data Protection Regulation
(GDPR), the data privacy regime does not apply to personal data
that is processed:

  • in the course of an activity which falls outside the scope of
    EU law;

  • by EU member states in carrying out activities which fall
    within the scope of Chapter 2, Title V of the Treaty on European
    Union;

  • by a natural person in the course of a purely personal or
    household activity; or

  • by competent authorities for the purposes of the prevention,
    investigation, detection or prosecution of criminal offences or the
    execution of criminal penalties, including the safeguarding against
    and prevention of threats to public security.

Moreover, the National Supervisory Authority for Personal Data
Processing (ANSPDCP) has stated that the GDPR applies only where
personal data is collected, registered, stored and otherwise
processed through a system of evidence. This basically excludes the
applicability of the GDPR where personal data is requested for
verification purposes, such as verification of an ID card to
confirm that a person is not a minor in order to grant access to a
premises which can only be accessed by 18-year-olds.

2.3 Does the data privacy regime have extra-territorial
application?

The Romanian data privacy regime applies to the processing of
personal data in the context of the activities of an establishment
of a data controller or a data processor in Romania, regardless of
whether the processing itself takes place in Romania. The regime
further applies to entities that are not established in Romania
where the processing relates to:

  • the offering of goods or services to data subjects in Romania,
    irrespective of whether payment from the data subjects is required;
    or

  • the monitoring of data subjects’ behaviour insofar as that
    behaviour takes place within Romania or the European Union.

3 Definitions

3.1 How are the following terms (or equivalents) defined in
your jurisdiction? (a) Data processing; (b) Data processor; (c)
Data controller; (d) Data subject; (e) Personal data; (f) Sensitive
personal data; and (g) Consent.

There are no specific derogations from the provisions of the EU
General Data Protection Regulation in relation to the definition of
terms. The key terms are thus defined as follows.

(a) Data processing

Any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction,
erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes
and means of the processing of personal data; where the purposes
and means of such processing are determined by EU or member state
law, the controller or the specific criteria for its nomination may
be provided for by EU or member state law.

(d) Data subject

An identifiable natural person who can be identified, directly
or indirectly, in particular by reference to an identifier such as
a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable
natural person.

(f) Sensitive personal data

The specific term is ‘special categories of personal
data’, which refers to:

  • data revealing racial or ethnic origin, political opinions,
    religious or philosophical beliefs, or trade union membership;
    and

  • genetic data, biometric data for the purpose of uniquely
    identifying a natural person, data concerning health or data
    concerning a natural person’s sex life or sexual
    orientation.

(g) Consent

Any freely given, specific, informed and unambiguous indication
of the data subject’s wishes by which he or she, through a
statement or a clear affirmative action, signifies his or her
agreement to the processing of personal data relating to him or
her.

3.2 What other key terms are relevant in the data privacy
context in your jurisdiction?

The national legislation pays particular attention to the
processing of national identification numbers, such as:

  • the unique identification number series of an ID card;

  • a passport number;

  • a driving licence number; or

  • a social health insurance number.

4 Registration

4.1 Is registration of data controllers and processors
mandatory in your jurisdiction? What are the consequences of
failure to register?

In Romania, the registration of data controllers or processors
is not mandatory. Such an obligation existed under the former data
privacy regime (Law 677/2001 on the protection of individuals with
regard to the processing of personal data and the free movement of
such data), but was repealed as from 25 May 2018.

4.2 What is the process for registration?

Not applicable.

4.3 Is registered information publicly accessible?

Not applicable.

5 Data processing

5.1 What lawful bases for processing personal data are
recognised in your jurisdiction? Do these vary depending on the
type of data being processed?

The lawful bases for processing personal data are those set out
in the EU General Data Protection Regulation (GDPR).

Thus, personal data can be processed based on:

  • consent;

  • performance of a contract to which the data subject is party or
    in order to take steps at the request of the data subject prior to
    entering into a contract;

  • compliance with a legal obligation to which the data controller
    is subject;

  • the necessity to protect the vital interests of the data
    subject or of another natural person;

  • the necessity to perform a task carried out in the public
    interest or in the exercise of official authority vested in the
    data controller; or

  • the legitimate interests pursued by the data controller or by a
    third party, where such interests are overridden by the interests
    or fundamental rights and freedoms of the data subject which
    require protection of personal data – in particular, where
    the data subject is a child.

With respect to the processing of sensitive personal data, the
same rules provided in the GDPR apply: the processing of sensitive
personal data is prohibited, except where the exemptions set out in
Article 9(2) of the GDPR apply.

With respect to personal data relating to criminal convictions
and offences, as provided in Article 10 of the GDPR, such
processing must be carried out only:

  • under the control of an official authority; or

  • where the processing is authorised by the European Union or
    national law providing for appropriate safeguards for the rights
    and freedoms of data subjects.

5.2 What key principles apply (eg, notice) when processing
personal data in your jurisdiction? Do these vary depending on the
type of data being processed? Or on whether it is outsourced?

Personal data in Romania must be processed in compliance with
the principles outlined in Article 5 of the GDPR, as follows:

  • lawfulness, fairness, and transparency (ie, personal data is
    processed lawfully, fairly and in a transparent manner in relation
    to the data subject);

  • purpose limitation (personal data must be collected for
    specified, explicit and legitimate purposes, and must not be
    further processed in a manner that is incompatible with those
    purposes);

  • data minimisation (processing must be adequate, relevant and
    limited to what is necessary);

  • accuracy (processing must be accurate and data must be kept up
    to date);

  • storage limitation (personal data must be kept in a form which
    permits the identification of data subjects for no longer than is
    necessary for the purposes for which the personal data is
    processed);

  • integrity and confidentiality (personal data must be processed
    in a manner that ensures appropriate security of the personal
    data); and

  • accountability (the data controller is responsible for and must
    be able to demonstrate compliance with the data processing
    principles).

5.3 What other requirements, restrictions and best practices
should be considered when processing personal data in your
jurisdiction?

Following the practice of the National Supervisory Authority for
Personal Data Processing (ANSPDCP), data controllers and processors
should pay additional attention to processing based on consent,
especially when sending commercial communications to data subjects.
The ANSPDCP has issued several fines in this respect, arguing that
either:

  • the data controller or processor failed to prove that the data
    subject consented to such processing; or

  • the data controller or processor did not correctly address a
    data subject’s request for consent withdrawal.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of
data to third parties?

In Romania, personal data can be transferred to third parties
only if such transfer can be justified on a lawful basis,
irrespective of whether the transfer is carried out between data
controllers, to joint controllers or from controllers to processors
or vice versa.

6.2 What requirements and restrictions apply to the transfer of
data abroad? Do these vary depending on the destination?

Additional requirements apply to data transfers outside the
European Union or the European Economic Area, except for those
countries or territories for which the European Commission has
issued an adequacy decision (though which the European Commission
states that the legal framework can ensure an adequate level of
protection), such as Andorra, Argentina, Canada (only for
commercial organisations), the Faroe Islands, Guernsey, Israel, the
Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea,
Switzerland, the United Kingdom (under the EU General Data
Protection Regulation and the Law Enforcement Directive) and
Uruguay.

For other territories, data transfers can be carried out only
if:

  • the data controller or processor that is party to the agreement
    has provided appropriate safeguards; and

  • enforceable data subject rights and effective legal remedies
    for data subjects are available.

These requirements can be satisfied through:

  • a legally binding and enforceable instrument between public
    authorities or bodies;

  • binding corporate rules;

  • standard contractual clauses adopted by the European
    Commission;

  • standard contractual clauses adopted by a supervisory authority
    and approved by the European Commission;

  • an approved code of conduct together with binding and
    enforceable commitments of the data controller or processor in the
    third country to apply the appropriate safeguards, including as
    regards data subjects’ rights; or

  • an approved certification mechanism together with binding and
    enforceable commitments of the controller or processor in the third
    country to apply the appropriate safeguards, including as regards
    data subjects’ rights.

6.3 What other requirements, restrictions and best practices
should be considered when transferring personal data, both within
your jurisdiction and abroad?

Additional attention should be paid to data transfers to the
United States following the ruling in Schrems II
(C311/18), through which the Privacy Shield was invalidated. Thus,
any entity transferring data to the United States based on the
Privacy Shield should reassess the contractual mechanism based on
which the transfer occurs and implement the necessary safeguards in
order for the transfer to legally take place.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the
processing of their personal data? Do any exemptions apply?

Data subjects have the right:

  • to be informed about the processing of their personal
    data;

  • to access their personal data;

  • to rectify their personal data;

  • to the erasure of their personal data (right to be
    forgotten);

  • to restriction of processing;

  • to data portability;

  • to object to the processing;

  • not to be subject to a decision based solely on automated
    processing, including profiling, which produces legal effects
    concerning the data subject or similarly significantly affects the
    data subject; and

  • to lodge a complaint with the National Supervisory Authority
    for Personal Data Processing (ANSPDCP).

Obviously, such rights are not absolute. Taking into
consideration the particularities of each case, specific
limitations may apply. For example, a data subject cannot exercise
the right to erasure if such action may affect the controller in
exercising or defending legal claims.

7.2 How can data subjects seek to exercise their rights in your
jurisdiction?

A data subject can exercise its rights under the EU General Data
Protection Regulation (GDPR) by submitting a request in this regard
directly to the data controller. The data controller must
facilitate the exercise of the data subject’s rights under the
GDPR. Moreover, the data controller is obliged to provide
information on the action taken in relation to the data
subject’s request without undue delay and in any event within
one month of receipt of the request (which may be extended by a
further two months where necessary, taking into account the
complexity and number of requests).

If the data controller does not respond to the request submitted
by the data subject or takes no action in this respect, the data
subject can submit a complaint against the data controller to the
ANSPDCP and/or seek a judicial remedy from the competent
courts.

7.3 What remedies are available to data subjects in case of
breach of their rights?

If a data subject considers that the rights have been infringed
by the data controller, he or she can submit a complaint to the
ANSPDCP. Moreover, the data subject has the right to an effective
judicial remedy against a legally binding decision of the ANSPDCP
concerning him or her.

Moreover, where the data subject considers that his or her
rights under the GDPR have been infringed as a result of the
processing of personal data in non-compliance with the GDPR, the
regulation provides for the right to an effective judicial remedy,
including the right to obtain compensation from the data controller
or processor for the damage suffered. However, such damages can
only be established by a court of law.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory
in your jurisdiction? If so, what are the consequences of failure
to do so?

Apart from the legal provisions regulating the appointment of a
data protection officer (DPO) reflected in the EU General Data
Protection Regulation (GDPR) (Article 37), the appointment of a DPO
is mandatory where:

  • the processing is carried out by a public authority or body,
    except for courts acting in their judicial capacity;

  • the core activities of the data controller or processor consist
    of processing operations which, by virtue of their nature, scope
    and/or purpose, require regular and systematic monitoring of data
    subjects on a large scale; or

  • the core activities of the data controller or processor consist
    of processing on a large scale of special categories of sensitive
    data or personal data relating to criminal convictions and
    offences.

Law 190/2018 sets out an additional requirement in this respect:
a DPO must be appointed in all cases where a national
identification number is processed based on the legitimate interest
of the data controller.

Failure to appoint a DPO may attract significant fines (of up to
€10 million or up to 2% of the total worldwide annual turnover
in the preceding financial year).

8.2 What qualifications or other criteria must the data
protection officer meet?

The DPO should be appointed based on his or her professional
qualities and, in particular, expert knowledge of data protection
law (Article 37(5) of the GDPR). Although the specific qualities
that a DPO are not mentioned in the GDPR, the Guidelines on Data
Protection Officers (issued by the World Forum for Harmonization of
Vehicle Regulations and endorsed by the European Data Protection
Board) state that the DPO must have:

  • expertise in national and European data protection laws and
    practices; and

  • an in-depth understanding of the GDPR.

Knowledge of the business sector and the organisation of the
data controller is also useful, as the DPO should have a good
understanding of the processing operations carried out, as well as
the information systems and data security and data protection needs
of the data controller.

With respect to the ability to fulfil his or her tasks, the
Guidelines on Data Protection Officers state that this requirement
should be interpreted as referring not only to the DPO’s
personal qualities and knowledge, but also to his or her position
within the organisation. The DPO must not be in a position that is
incompatible with this function (eg, chief executive officer, chief
operating officer, chief financial officer, chief marketing
officer, head of the marketing department, head of HR or head of
IT).

8.3 What are the key responsibilities of the data protection
officer?

The key responsibilities of a DPO are outlined in Article 39 of
the GDPR as follows:

  • to inform and advise the data controller or processor and
    employees who carry out data processing of their obligations
    pursuant to the GDPR and relevant data protection laws;

  • to monitor compliance with the GDPR and other relevant data
    protection provisions, and with the policies of the data controller
    or processor in relation to the protection of personal data –
    including the assignment of responsibilities, awareness raising and
    training of staff involved in processing operations – and to
    conduct related audits;

  • to advise where requested on data protection impact assessments
    and monitor the company’s performance pursuant to the relevant
    legal provisions;

  • to cooperate with the supervisory authority; and

  • to act as a contact point for the supervisory authority on
    issues relating to processing, including the prior consultation
    referred in Article 36 of the GDPR, and to consult, where
    appropriate, with regard to any other matter.

8.4 Can the role of the data protection officer be outsourced
in your jurisdiction? If so, what requirements, restrictions and
best practices should be considered in this regard?

Under Romanian law, the role of the DPO can be outsourced to
either an individual or an organisation (eg, a law firm). However,
it is of the utmost importance that in such cases, the conflict of
interests rule is respected in the same way as for an internally
appointed DPO.

When deciding to outsource the role of the DPO, the data
controller must take several factors into consideration. For
example, in an organisation where data processing activities
present a higher degree of complexity, data controllers must ensure
that the external DPO:

  • has significant knowledge of the business sector and the
    organisation of the controller; and

  • can address on a day-to-day basis the privacy matters which the
    organisation faces.

8.5 What record-keeping and documentation requirements apply in
the data privacy context?

As per Article 5(2) of the GDPR, the data controller is
responsible for, and must be able to demonstrate compliance with,
the data protection principles. Thus, any aspect that assists with
the analysis of particular situations should be documented, at
least from a privacy point of view.

Thus, the data controller should:

  • keep an adequate record of processing activities;

  • implement adequate privacy policies, information notices, data
    protection impact assessments and legitimate impact assessments (or
    balancing tests); and

  • always observe the GDPR requirements in conducting its
    activities.

8.6 What other requirements, restrictions and best practices
should be considered from a compliance perspective in the data
privacy context?

The National Supervisory Authority for Personal Data Processing
(ANSPDCP) often carries out its investigations though requests for
information sent to the data controller or processor. Thus,
documenting the analysis carried out with respect to data
processing activities is the most reliable way to demonstrate
compliance with the privacy requirements.

Data controllers and processors should also seek to implement a
regular training programme for employees. It is of the utmost
importance that such training programmes include practical ways to
test employees’ knowledge of the GDPR. This enables the data
controller or processor to prove that its employees have the
necessary knowledge of the data privacy rules and internal
procedures in case of an investigation conducted by the
ANSPDCP.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors
to preserve the security of personal data?

All data controllers and processors must implement adequate
security measures in order to protect the personal data processed
in their normal course of business. As per Article 32 of the EU
General Data Protection Regulation (GDPR), data controllers and
processors must implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk.

Such security measures can vary depending on the activity
carried out by the data controller or processor. Where appropriate,
such security measures may include:

  • the pseudonymisation and encryption of personal data;

  • the ability to ensure the ongoing confidentiality, integrity,
    availability and resilience of processing systems and
    services;

  • the ability to restore the availability and access to personal
    data in a timely manner in the event of a physical or technical
    incident; and

  • a process for regularly testing, assessing and evaluating the
    effectiveness of technical and organisational measures for ensuring
    the security of the processing.

9.2 Must data breaches be notified to the regulator? If so,
what information must be provided and what is the process for doing
so? If not, under what circumstances is voluntary notification of a
data breach expected?

As per Article 33 of the GDPR, as a rule, the data controller or
processor must notify a data breach to the National Supervisory
Authority for Personal Data Processing (ANSPDCP) without undue
delay and, where feasible, no later than 72 hours after becoming
aware of it. If the ANSPDCP is not notified within 72 hours, such
notification must be accompanied by the reasons for the delay. This
obligation to notify the regulator will not apply where the
personal data breach is unlikely to result in a risk to the rights
and freedoms of natural persons.

The data breach can be notified through the dedicated data
breach section on the ANSPDCP’s website (www.dataprotection.ro). The notification should
contain at least the following information:

  • the nature of the personal data breach, including, where
    possible, the categories and approximate number of data subjects
    concerned and the categories and approximate number of personal
    data records concerned;

  • the name and contact details of the data protection officer or
    other contact point where more information can be obtained;

  • the likely consequences of the personal data breach; and

  • the measures taken or proposed to be taken by the data
    controller to address the personal data breach, including, where
    appropriate, measures to mitigate its possible adverse
    effects.

It is also important to provide the ANSPDCP with information
about the context in which the data breach occurred (eg, due to a
ransomware attack, human error or other similar event).

9.3 Must data breaches be notified to the affected data
subjects? If so, what information must be provided and what is the
process for doing so? If not, under what circumstances is voluntary
notification of a data breach expected?

Data breaches must be notified to the affected data subjects if
the breach is likely to result in a high risk to the rights and
freedoms of natural persons. The communication to the data subject
must:

  • be made with undue delay;

  • describe in clear and plain language the nature of the personal
    data breach; and

  • contain at least the information provided to the ANSPDCP when
    notifying it of a data breach (see question 9.2).

Nonetheless, based on Article 34(4) of the GDPR, if the ANSPDCP
considers that a personal data breach should be notified to the
data subjects, the data controller or processor can be instructed
to proceed as such.

The data controller or processor will be exempt from the
obligation to notify the data breach to the affected data subjects
only if:

  • the data controller has implemented appropriate technical and
    organisational protection measures, which have been applied to the
    personal data affected by the data breach – in particular,
    measures that render the personal data unintelligible to any person
    who is not authorised to access it, such as encryption;

  • the data controller has taken subsequent measures which ensure
    that the high risk to the rights and freedoms of data subjects is
    no longer likely to materialise; or

  • notification would involve disproportionate effort, in which
    case the data controller can instead issue a public communication
    or similar measure whereby data subjects are informed in an equally
    effective manner.

9.4 What other requirements, restrictions and best practices
should be considered in the event of a data breach?

In its latest case law, the ANSPDCP applied sanctions for data
breaches caused by:

  • ransomware attacks; and

  • the sending of emails to incorrect recipients.

Repeated data breaches notifications also recently attracted the
administrative liability of the data controller.

10 Employment issues

10.1 What requirements and restrictions apply to the personal
data of employees in your jurisdiction?

Apart from the general requirements provided in the EU General
Data Protection Regulation and the information reflected in
question 10.2, there are no particular restrictions with respect to
the processing of the personal data of employees.

10.2 Is the surveillance of employees allowed in your
jurisdiction? What requirements and restrictions apply in this
regard?

Law 190/2018 sets out specific rules on the processing of
personal data in employment relationships. As per Article 5 of Law
190/2018, where monitoring systems by means of electronic
communications and/or video surveillance are used in the workplace,
the processing of employees’ personal data for the purpose of
pursuing the legitimate interests of the employer is permitted only
if:

  • the legitimate interests of the employer are duly justified and
    override the interests or rights and freedoms of the data
    subjects;

  • the employer has provided the employees with full and explicit
    prior information;

  • the employer has consulted the trade union or, where
    appropriate, the employees’ representatives before introducing
    the monitoring systems;

  • other less intrusive forms and ways of achieving the
    employer’s intended purpose have not previously proved
    effective; and

  • the duration for which the personal data is stored is
    proportionate to the purpose of processing, but not longer than 30
    days, except in situations expressly provided for by law or in duly
    justified cases.

Failure to comply with such requirements may attract significant
fines (up to €20 million or up to 4% of the total worldwide
annual turnover of the preceding financial year).

10.3 What other requirements, restrictions and best practices
should be considered from an employment perspective in the data
privacy context

The National Supervisory Authority for Personal Data Processing
(ANSPDCP) seems reluctant to approve any system through which
access to work premises or other authentication methods are carried
out using employees’ biometric data. The ANSPDCP’s recent
practice suggests that biometric data access systems can be
implemented only using the data subject’s consent, in which
case the data controller must be able to prove such express, free
and informed consent.

11 Online issues

11.1 What requirements and restrictions apply to the use of
cookies in your jurisdiction?

The Romanian data privacy regime contains no specific dedicated
provisions on cookies. Thus, the use of cookies must comply with
the EU General Data Protection Regulation (GDPR) requirements and
the case law of the Court of Justice of the European Union (CJEU)
– specifically the decision in Planet49 (C-673/17),
in which the CJEU underlined that non-essential cookies must be
placed based on expressly and freely given consent.

Moreover, as per the European Data Protection Board Guidelines
on consent, data controllers should bear in mind the following:

  • No pre-ticked checkboxes are allowed on cookie consent
    banners;

  • Scrolling and continued browsing do not represent valid
    consent; and

  • Cookie walls (forced consent) does not represent valid
    consent.

11.2 What requirements and restrictions apply to cloud
computing services in your jurisdiction from a data privacy
perspective?

Apart from the general obligations set out in the GDPR,
suppliers of cloud computing services must comply with the
requirements of Law 362/2018 on ensuring an increased common level
of security for computer networks and systems, which incorporates
the EU Network and Information Systems Directive (2016/1148) into
national law. Law 362/2018 expressly states that the National
Cybersecurity Directorate (DNSC) will cooperate with the National
Supervisory Authority for Personal Data Processing (ANSPDCP) in any
situation where incidents result in prejudice to personal data
security.

Based on Law 362/2018, suppliers of cloud computing services, as
digital service providers, must observe a set of mandatory
requirements imposed by law, including the obligation:

  • to implement adequate and proportional technical and
    organisational measures in order to ensure the minimum security
    conditions imposed by law for network and information systems;
    and

  • to immediately notify the DNSC of any incident that has a
    significant impact on the provision of digital services.

In implementing the required measures, suppliers of cloud
computing services must consider the technical norms elaborated by
the DNSC. Moreover, if specific requirements are met, such
suppliers will be subject to a national identification and
registration process. Following the applicable registration
procedure, the supplier will be subject to monitoring and control
by the DNSC. Failure to comply with Law 362/2018 may attract
significant administrative fines (up to 5% of the turnover of the
economic operator in case of repeated breaches).

11.3 What other requirements, restrictions and best practices
should be considered from a marketing perspective in the online and
networked context?

As the ANSPDCP focuses on electronic commercial communication
issues, data controllers and processors should pay additional
attention when determining whether such communications are
possible.

Law 506/2004 states that unless the data subject has given prior
express consent to receive them, it is forbidden to send commercial
communications:

  • by means of automated calling and communication systems that do
    not require human intervention;

  • by fax or email; or

  • by any other method using publicly available electronic
    communication services.

However, where a data controller directly obtains the email
address of a data subject in connection with the sale of a product
or service, the controller may use that address for the purpose of
commercial communications relating to similar products or services
which it markets, provided that the customer is given a clear and
express opportunity to object to such use by simple means and free
of charge – both when obtaining the email address and on the
occasion of each commercial communication, if the data subject does
not object initially.

The ways in which companies seek to avail of this exception in
order to provide commercial communication have often come under
scrutiny by the competent courts. Recent case law clearly
underlines that such communications cannot be used for general
advertising and marketing purposes, including requests for feedback
on social media, downloading of the trader’s mobile application
or other activities carried out for customer loyalty purposes.

12 Disputes

12.1 In which forums are data privacy disputes typically heard
in your jurisdiction?

Disputes in Romania are resolved by:

  • district courts;

  • tribunals;

  • courts of appeal; and

  • the Supreme Court.

Depending on the complexity of the dispute, two or three
jurisdictional levels can be followed. While a straightforward
dispute can begin in the district court and can subsequently be
appealed to a tribunal, more complex cases (especially concerning
administrative acts issued by public authorities) begin in the
courts of appeal and end at the Supreme Court.

With respect to privacy disputes concerning the sanctioning
minutes or decisions of the National Supervisory Authority for
Personal Data Processing (ANSPDCP), the legal provisions state that
such disputes will be settled by the competent tribunal. The
tribunal’s decision can be only appealed to the competent court
of appeal. In all cases where a sanctioning minutes/decision is
issued, only the Romanian courts are competent to resolve such
issues.

With respect to civil claims (temporary/permanent injunction or
damages claims), the competent courts vary depending on:

  • the nature of the infringement; and

  • the total amount of damages requested.

However, as a general rule, such claims are often referred to
district courts and can be subsequently appealed to tribunals and
courts of appeal.

12.2 What issues do such disputes typically involve? How are
they typically resolved?

Disputes concerning privacy matters (irrespective of whether the
dispute refers to the annulment of sanctioning minutes or a
decision issued by the ANSPDCP or civil claims) revolve around the
evidence presented to the court. In practice, data controllers or
processors often cannot produce clear-cut evidence in order to
properly sustain their claims, thus making it difficult to obtain a
favourable decision.

According to its latest annual report, the ANSPDCP managed a
total of 152 cases pending before the courts at various procedural
levels in 2021. Of these, 25 new statements of claim were submitted
against acts issued by the ANSPDCP.

12.3 Have there been any recent cases of note?

In April 2022, the Cluj Court of Appeal dismissed a request for
the annulment of an administrative fine of €100,000 against a
bank for failure to comply with Article 32 of the EU General Data
Protection Regulation (GDPR).

In order to prove its diligent conduct as regards the training
of staff in the field of personal data protection, the bank
submitted a series of internal regulations and evidence of training
programmes on privacy matters. However, the court pointed out that
this did not prove that staff had actually participated in these
training programmes or that any means of verifying their
understanding of the relevant information had been applied.

Moreover, the court pointed out that the evidence relied on by
the banking institution to the effect that it had taken appropriate
measures in order to implement the provisions of the GDPR was
contradicted by the facts established by the uncontested
infringement report, which attested to the intentional unauthorised
disclosure by persons under the authority of the banking
institution of a significant amount of personal data (some of which
was highly sensitive) to a very large number of persons.

The court concluded that the carelessness with which the
bank’s employees had acted, transferring the personal data of
customers between each other and subsequently to third parties via
WhatsApp, showed not only a lack of knowledge of working procedures
relating to the processing of personal data, but above all (and
more seriously) their inability to identify and qualify the data to
which they had access as personal data, indicating an acute lack of
effective training.

The reasoning of the court confirms the fact that data
controllers often have problems in providing sufficient evidence to
the courts to substantiate their claims.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape
and prevailing trends in your jurisdiction? Are any new
developments anticipated in the next 12 months, including any
proposed legislative reforms?

The data privacy landscape changed in 2018 due to the immediate
need of data controllers and processors to align their activities
with the EU General Data Protection Regulation (GDPR). In the early
years of this regime, the National Supervisory Authority for
Personal Data Processing (ANSPDCP) focused on prevention and
information activities with respect to the new legal framework.

Today, four years down the line, the ANSPDCP has not changed its
approach. The number of sanctions applied remains steady. As an
example, in 2021, the ANSPDCP issued 36 fines (compared to 29 in
2020 and 28 in 2019), alongside 93 warnings (as opposed to 134
warnings in 2019) and 56 privacy corrective measures. The fines
imposed exceeded €10,000 in only a few cases. The highest fine
imposed to date was €150,000.

In 2021, the complaints submitted to the ANSPDCP involved the
following issues, which we expect will remain a priority:

  • infringement of the rights of data subjects – in
    particular:

    • the right of access;

    • the right to object; and

    • the right to have personal data deleted;


  • the processing of images by means of installed video
    surveillance systems by employers at work or by condominium
    associations;

  • the disclosure of personal data online, including on social
    networks;

  • the processing of personal data in breach of the legal bases
    set out in Article 6 of the GDPR;

  • the breach of security and confidentiality measures for data
    processing activities; and

  • the sending of unsolicited commercial messages by telephone or
    email.

14 Tips and traps

14.1 What are your top tips for effective data protection in
your jurisdiction and what potential sticking points would you
highlight?

Due to the recent activity of the National Supervisory Authority
for Personal Data Processing (ANSPDCP), our recommendation is to
analyse compliance with the data protection regime on a day-to-day
basis, in order to be able to properly document compliance with the
applicable legal provisions. This will prove extremely useful when
handling information requests received from the ANSPDCP.

Data controllers should also provide regular employee training
on the EU General Data Protection Regulation. As an example, most
personal data breaches caused through ransomware attacks are caused
by employees’ failure to follow the security requirements (eg,
updating passwords on a regular basis) or their inability to
properly identify phishing fraudulent communications.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link

Related post

Bitcoin Shrimp Adds 96.2K BTC Since FTX Crash

Bitcoin Shrimp Adds 96.2K BTC Since FTX Crash

Crypto News Today Live Updates November and Latest News: (28 November 2022) The global digital asset market dropped by is trading…
Morse Micro Supercharges its Series B Funding Round with AU $30 Million Top-up from Major Superannuation Funds and Others

Morse Micro Supercharges its Series B Funding Round with…

SYDNEY–(BUSINESS WIRE)–Morse Micro, a fabless semiconductor company reinventing Wi-Fi for the Internet of Things (IoT), today announced an AU $30 million…
Can the AI Bill of Rights shape global AI regulation?

Can the AI Bill of Rights shape global AI…

With innovation changing the way of life and the way of doing business immeasurably in recent years, there are growing calls…

Leave a Reply

Your email address will not be published.