July 2024

1. Governing Texts

The legal rules in Romania are mainly set in Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) (the Law) which in principle reiterates the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) rules and in specific decisions issued by the National Supervisory Authority for Personal Data Processing (ANSPDCP), regulates main areas of the GDPR such as when Data Privacy Impact Assessments (DPIA) will be mandatory, the accreditation of certification bodies, the conducting of investigations and managing complaints, and notifying security breaches.

The ANSPDCP's guidelines are quite scarce and generic, only reiterating the main GDPR principles and standards.

1.1. Key acts, regulations, directives, bills

The general legal framework for data protection has changed substantially since the GDPR took effect in May 2018.

Despite the GDPR's direct applicability in all EU Member States, the regulation recognizes Member States' rights to adopt derogations or additional safeguards in specific cases or with respect to certain types of processing.

In order to regulate such derogations, the Parliament of Romania adopted the Law, published in the Official Gazette No. 651 of July 26, 2018. The Law provides special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (DPO) and certification bodies, as well as provisions on the applicable sanctions for public and private entities.

In addition, the functions, powers, and duties of the ANSPDCP have been modified by means of a separate act, Law No. 129 of 15 June 2018 amending and integrating Law No. 102/2005 on the Establishment, Organization, and Functioning of the National Supervisory Authority for the Processing of Personal Data, as well as repealing Law No. 677/2001 on the Protection of Persons with Regard to the Processing of Personal Data and the Free Movement of such Data (the ANSPDCP Law).

In January 2019, Law No. 363/2018 of December 28, 2018, on Provisions Regarding the Processing of Personal Data by Competent Authorities for the Prevention, Detection, Investigation, Prosecution, and Control of Criminal Offences or the Execution of Sanctions, Education, and Measures (only available in Romanian here) (Law No. 363/2018) came into force.

In 2019, the Law was subject to a 'corrigendum.' Specifically, processing for statistical purposes had been included among the cases benefiting from the exemption regulated by Article 89(2) of the GDPR.

Furthermore, several decisions were issued by ANSPDCP:

• Decision No. 174/2018 on the list of kinds of processing operations which are subject to the requirement for a DPIA;
• Decision No. 20/2021 on the approval of the additional requirements for the accreditation of certification bodies pursuant to Article 43 of the Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Regulation (EU) 2016/679);
• Decision No. 238/2019 on the amendment of Annex no. 2 to the procedure for conducting investigations, approved by the Decision of the President of the National Authority for the Supervision of Personal Data Processing No. 161/2018 (only available in Romanian here);
• Decision No. 161/2018 on the approval of the procedure for conducting investigations (only available in Romanian here);
• Decision No. 133/2018 on the approval of the procedure for receiving and resolving complaints (only available in Romanian here);
• Decision No. 128/2018 on the approval of the standard form for the notification of personal data breach in accordance with GDPR (only available in Romanian here);
• Decision No. 99/2018 regarding the cessation of the applicability of some normative acts with administrative character issued in the application of Law No. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data (only available in Romanian here);
• Decision No. 184/2014 on the approval of the standard form of notification of personal data breach for providers of public network services or electronic communications services, in accordance with the European Commission Regulation on measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on confidentiality and electronic communications (Regulation (EU) No. 611/2013) (only available in Romanian here); and
• Decision No. 64/2023 on the approval of the Requirements for Accreditation of a Code of Conduct Monitoring Body under Article 41 of Regulation (EU) 2016/679 (only available in Romanian here).

1.2. Guidelines

The ANSPDCP has released a GDPR resource center (only available in Romanian here) which includes general guidance for the application of GDPR (only available for download in Romanian here).

Furthermore, the ANSPDCP issued in May 2019 guidance on frequently asked questions on the implementation of GDPR and the applicability of Law No. 190/2018 (only available in Romanian here).

ANSPDCP issued two other specific guidelines:

• Guideline concerning the processing of personal data performed by the Homeowner Associations (only available for download in Romanian here); and
• Guideline on the applicability of Law no. 363/2018 (only available in Romanian here).

1.3. Case law

The entry into force of the GDPR marked a significant increase in data privacy litigation cases.

Most of such litigation (made publicly available) has been filed against credit institutions by paying customers complaining about reports to the Credit Bureau with negative credit scoring. Essentially, the claimants were asking for their data to be removed from the Credit Bureau database (before the expiry of the retention period applicable to the Credit Bureau system). The claimants argued that the 'right to be forgotten' applies to them with respect to such processing. The courts generally dismiss such claims as ungrounded upholding that the right to be forgotten does not apply in such cases, since there is a prevailing legitimate interest of the participants of the Credit Bureau system to have access to payment behavior information of the customers of the credit institutions.

One may also note a few court decisions whereby data subjects were awarded indemnification for the incurred prejudice following the illegal data processing, namely:

• VODAFONE ROMÂNIA S.A. was ordered to pay an indemnification of RON 2,000 (approx. $430) with respect to violations of Article 5(1)(a) and (f) of GDPR for failing to process data lawfully, fairly, and in a transparent manner in relation to the data subject and in a manner that ensures appropriate security of the personal data when concluding an additional subscription contract with a third person using the claimant data, without implementing an identification process;
• Banca Transilvania S.A. was ordered to pay an indemnification of RON 10,000 (approx. $2,180) for moral damages and material damages of RON 1,200 (approx. $260) for illegal processing of personal data starting on April 14, 2009. The controller had not informed the data subject in a transparent manner when transferring his data from the filing system of Biroul de Credit S.A. in the filing system of FICO. Starting on April 14, 2009, all data included in Biroul de Credit S,A, filing system was being processed in FICO Score, an automated decision-making system, potentially leading to negative effects on the data subject;
• Iași Municipality was ordered to pay an indemnification of RON 15,000 (approx. $3,260). In the case at hand, Iași Municipality published on its website listed individuals with debts towards the public budget which included the identification data of the claimant even after the claimant settled their debts. Thus, the court upheld that Iași Municipality had no legal basis of processing the claimant's personal data. The publication of such data on its website even after the settlement of the debt affected the claimants' public image, thus entitling the claimant to be awarded an indemnification of the incurred moral damage;
• National Company 'Bucharest Airports' S.A. was ordered to pay an indemnification of RON 10,000 (approx. $2,180) to a member of its Board of Directors, following the publication on the company's website of the data subject's contact details (i.e. full domicile address) and ID data (personal numeric number, series, and the ID number, date of issuance, and issuing authority). Such data was included in a decision of the general meeting of shareholders approving the appointment of the data subject as a member of the Board of Directors (processing which does not trigger any legal issues). Still, the decision was further published on the website of the company without masking the personal data not necessary to ensure the transparency of the corporate decision-making under the applicable corporate rules. The court upheld, in this case, the breach of the data minimization principle i.e. explaining that publishing only the name and surname of the individuals would have been sufficient and that the processing lacked of legal basis; and
• A Romanian bank was ordered to pay a indemnification of RON 1,000 (approx. $220) for moral damages for disclosing personal data consisting of banking information to third parties in violation of special legislation on personal data. It is held that, by disclosing the applicant's personal (name, home address) and banking information (the applicant's bank account statements and debts), the defendant infringed the applicant's right to privacy and also the applicable legal provisions in the field of personal data.

2. Scope of Application

2.1. Personal scope

The Law applies to public and private entities processing personal data.

Law 363/2018 applies to competent authorities regarding the activities of prevention, detection, investigation, prosecution, and combating of crimes, execution of punishments, educational and security measures, as well as the maintenance and assurance of public order and safety.

2.2. Territorial scope

The Law and Law 363/2018 are applicable to processing operations undertaken in the territory of Romania or by controllers/processors headquartered in Romania.

2.3. Material scope

The Law sets derogatory rules for the processing of particular types of data or specific data purposes/operations, as follows:

• biometric and health data processing in view of undertaking an automated decision or for generating profiles, shall take place exclusively on the basis of express consent or express legal obligation with implementation of adequate data privacy measures;
• the national identification number may be processed based on the legitimate interest with the condition that controllers meet certain requirements in this regard, such as:
  • implementing technical and organizational measures in order to ensure the security and confidentiality of data;
  • appointing a DPO in line with GDPR;
  • implementing retention periods subject to the nature of the data and the scope of processing; and
  • period training, education, and awareness programs for persons with access to the data;
• collecting employees' data via monitoring activities undertaken via electronic communication means/CCTV based on the legitimate interest of the employer, may take place only provided that:
  • proper justification of legitimate interest is considered;
  • the employee is informed with respect to the monitoring;
  • a prior consultation with the union or the employees' representatives occurs before the monitoring implementation;
  • less intrusive means to reach the goal pursued are considered and do not apply; and
  • a term of retention proportionate to the purpose of processing is implemented, which shall not exceed 30 days unless expressly provided by law or well-founded exceptional cases (e.g., pending litigation).

Law 363/2018 on the specific provisions regarding the processing of personal data by competent authorities for the prevention, detection, investigation, prosecution, and control of criminal offenses or the execution of sanctions, education, and measures applies to all data relating to an identified or identifiable natural person. This includes special categories of data (i.e. biometric data, health data, sex, etc. provided for in Article 9 of the GDPR), but also criminal records, as stipulated in Article 10 of the GDPR. Notably, sensitive data can be processed only if strictly necessary on a case-by-case basis and if one of the conditions below is met:

• the processing is expressly provided by law;
• the processing is necessary for the prevention of an imminent danger as to the life, health of physical integrity of a person; or
• the processing entails data manifestly made public by the data subject.

Law 363/2018 expressly prohibits automated decision-making and profiling with respect to sensitive data. Nevertheless, automated decision-making with respect to personal data can be undertaken if such action is expressly provided by law.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The regulator entrusted with overall competence in the data privacy field, including investigation powers, is the ANSPDCP.

3.2. Main powers, duties and responsibilities

As per the ANSPDCP Law, the ANSPDCP's main powers, duties, and responsibilities are those established by the GDPR. However, the exercise of certain powers and tasks have been further clarified within this legislation, such as:

• the power to carry out investigations; and
• the handling of complaints by the data subject.

Furthermore, additional powers have been granted to the ANSPDCP:

• to carry out unannounced onsite investigations, at the headquarters of the ANSPDCP or via written correspondence with the ANSPDCP;
• to request and obtain from the controller or processor, onsite and/or within a set time limit, any information and documents, regardless of the storage media;
• to make copies of the requested information or documents;
• to have access to any of the premises of the controller or processor;
• to have access to and verify any equipment or data storage media required for the ongoing investigation; and
• to commission audits and hearings of persons whose statements are considered relevant and necessary for the investigation.

4. Key Definitions

Data controller: No national variations. The GDPR definition applies. 

According to Law 363/2018, the data controller is the competent authority that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law, the controller or the specific criteria for its nomination may be provided for by law.

Data processor: No national variations. The GDPR definition applies.

Personal data: No national variations. The GDPR definition applies.

Sensitive data: No national variations. The GDPR definition applies.

Health data: No national variations. The GDPR definition applies.

Biometric data: No national variations. The GDPR definition applies.

Pseudonymization: No national variations. The GDPR definition applies.

Data subject: No definition under local laws. As per the European Data Protection Supervisor (EDPS) glossary, a person whose personal data are collected, held or processed.

Article 2 of the Law provides additional definitions, such as:

Public authorities and bodies: Chamber of Deputies and Senate, Presidential Administration, Government, Ministries, other specialized bodies of central public administration, autonomous public authorities, and institutions, local and county-level public administration authorities, other public authorities, and institutions under their subordination/coordination. For the purposes of this Law, public authorities/bodies, cult units, associations, and foundations of public utility shall be treated as such.

National identification number: The number by which a natural person is identified in certain filing systems and which has general applicability, such as personal number, serial number, ID number, passport number, driving license, and social health insurance number.

Remediation plan: Annex to the reports of finding and sanctioning the infringement, drawn up under the conditions laid down with respect to accreditation of certification organs, whereby the ANSPDCP entails measures and a deadline for remediation.

Remediation measure: A solution ordered by the ANSPDCP in the remediation plan for the public authority to comply with the legal obligations.

Remediation period: The period of time not exceeding 90 days from the date of communication of the reports of finding and sanctioning the infringement, during which the public authority has the possibility of solving any irregularities found and complying with the legal obligations.

Carrying out a task in the public interest: Activities of political parties or minority organizations, non-governmental organizations, entailing the objectives set out in constitutional or public international law or the functioning of the democratic system, including encouraging citizens' participation in decision-making and public policy preparation (i.e., promoting the principles and values of democracy).

5. Legal Bases

5.1. Consent

The Law provides for express consent as legal basis for processing of biometric data and health data. Consent is also provided as a valid legal basis for processing national identification numbers.

5.2. Contract with the data subject

No national variations. The GDPR definition applies.

5.3. Legal obligations

The Law stipulates that biometric data and health data can be processed on the basis of express legal obligation. This legal basis is also applicable to processing of national identification numbers.

Law 363/2018 states that sensitive data can be processed only if strictly necessary on a case-by-case basis if such processing is expressly provided by law.

Law 363/2018 expressly prohibits automated decision-making and profiling with respect to sensitive data. Nevertheless, automated decision-making with respect to personal data is allowed if such action is expressly provided by law.

5.4. Interests of the data subject

No national variations. The GDPR definition applies.

5.5. Public interest

The Law provides the possibility to process special categories of data in the context of performance of a task carried out in the public interest. Such processing requires special guarantees (i.e., implementing technical and organizational measures in order to ensure the security and confidentiality of data in line with Article 5 of the GDPR, appointing a DPO, and implementing retention periods subject to the nature of the data and the scope of processing).

5.6. Legitimate interests of the data controller

No national variations. The GDPR definition applies.

5.7. Legal bases in other instances

National implementation of Article 89 of the GDPR

As per Article 8(1) of the Law, the processing of personal data for scientific or historical research, or statistical purposes may be carried out without the observance of the provisions of Articles 15, 16, 18, and 21 of the GDPR, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. As per Article 8(2) of the Law, the processing of personal data for archiving purposes in the public interest may be carried out without the observance of the provisions of Articles 15, 16, 18, 19, 20, and 21 of the GDPR, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

Nonetheless, these specific derogations from Article 8 of the Law are subject to the conditions and safeguards referred to in Article 89(1) of the GDPR.

Furthermore, where the processing referred to in Article 8(1)(2) of the Law serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in the aforementioned provision.

National implementation of Article 87 of GDPR

The processing of the national identification number for the purposes of the legitimate interests pursued by the controller or by a third party can only be carried out if the controller has implemented the following safeguards:

• technical and organizational measures to ensure that such processing is carried out in accordance with the data minimization principle, as well as ensuring the security of the processing in accordance with Article 32 of the GDPR;
• has appointed a DPO;
• has set up storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion; and
• regular training of the personnel with duties related to the processing of such personal data by both the controller and processor has been ensured.

National implementation of Article 88 of the GDPR

The processing of employees' personal data for the purposes of the legitimate interests pursued by the employer, using surveillance of electronic communications and video monitoring systems at the workplace, may only be carried out if:

• such processing is justified and does not override the rights and freedoms of employees;
• employees have been clearly and fully informed of such processing;
• the employer has sought the opinion of the collective bodies or employee representatives prior to such processing;
• less intrusive means have been implemented but have not achieved the purposes pursued by the employer; and
• the storage period is proportionate to the purpose of processing and in any event not longer than 30 days, except if the law provides otherwise or in duly justified cases.

6. Principles

The principles of data protection are as follows:

• Lawfulness, fairness, and transparency:
  • for the processing of personal data to be lawful, you need to identify specific grounds for the processing. This is referred to as a 'lawful basis' for processing, and there are six options that depend on your purpose and your relationship with the individual;
  • you are not allowed to use the personal data in an unlawful way in a more general sense, including statute and common law obligations, whether criminal or civil;
  • fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them;
  • transparency means you must be clear about why personal data is being collected and how it is going to be used. If a data subject requests further information regarding the processing of their data, then organizations are bound to provide this in a timely manner. The collection, processing, and disclosure of data must all be done in accordance with the law, based on an adequate data processing ground;
• Purpose limitation: controllers must have a specific and legitimate reason for collecting and processing personal data. The data can only be used for the designated purpose and must not be processed for any other use unless the data subject has provided their explicit consent. There is a bit more flexibility with processing conducted for archiving purposes in the public interest or for scientific, historical, or statistical purposes;
• Data minimization: data must be 'adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed'. This means that organizations should only store the minimum amount of data required for their purpose (i.e. necessary, relevant, and adequate to the processing). Controllers cannot just collect personal data on the off chance that it might be useful in the future. If they are holding more data than is necessary, this is likely to be unlawful;
• Accuracy: data must be accurate, fit for purpose, and up to date. This means that organizations should regularly review information held about individuals and delete or amend inaccurate information accordingly. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within one month. This streamlining of information will help improve compliance and ensure business databases are accurate and up to date;
• Storage limitation: if data is no longer needed for the purpose for which it was collected, it should be deleted or destroyed unless there are other grounds for retaining it;
• Integrity and Confidentiality: appropriate measures in line with the state of the art should be in place to secure the personal data you hold. This could be protection from internal threats such as unauthorized use, accidental loss, or damage, as well as external threats such as phishing, malware, or theft; and
• Accountability: controllers must take responsibility for the data they hold and demonstrate compliance with the other principles. This means that they must be able to provide evidence of the steps they have taken to demonstrate compliance.

Nevertheless, the Law provides for derogations from the principles entailed in the GDPR. Hence, according to Article 7 of the Law, in order to ensure the freedom of expression and the right for information, processing of data may be carried out for journalistic purposes or for the purpose of academic, artistic, or literary expression, being exempted from data privacy principles, if such data:

• have been manifestly made public by the data subject;
• are closely linked to the data subject's status as a public person; or
• are closely linked to the public nature of the facts the data subject is part of.

7. Controller and Processor Obligations

7.1. Data processing notification

No specific national requirements have been adopted in relation to notification and registration.

7.2. Data transfers

There are no general restrictions on the transfer/localization of personal data.

However, special laws may provide for limitations on transfers/localization depending on the type of personal data/operations/owner of data. For instance, we mention the following:

• airline transport passengers' data from the official evidence system held by passenger information units may be stored only on EU servers;
• personal data handled by pensions companies and privately managed pension funds active in Romania need to be kept only on the hardware/storing capacities located at their headquarters;
• data related to online remote gambling needs to be mirrored on a safe server located in Romania; moreover, the communications network/equipment and the central point where the core IT systems must be located in Romania or on the territory of another EU Member State/EEA or in the Swiss Confederation;
• the data warehouse related to the movement of tobacco products from their entry date in the EU, including all intermediate movements, needs to be located on EU territory; and
• where hosting refers to classified information, the rules established in line with the National Standards for Protection of Classified Information in Romania should be considered, which may require that the data be located in Romania where the controller/processor is appointed as a service provider in relation to such information, and ownership of the main infrastructure by the relevant public institution and accreditation by relevant authority of any service providers or software provided in view of integration in the main infrastructure or use in relation to classified information.

7.3. Data processing records

No national variations. The GDPR definition applies.

7.4. Data protection impact assessment

Pursuant to Decision No. 174/2018 (the Blacklist), the ANSPDCP established that the following activities result in a high risk to the rights and freedoms of natural persons and, therefore, for them a DPIA is required:

• processing of personal data carried out for a systematic and extensive evaluation of personal aspects relating to natural persons, that is based on automated processing, including profiling, and based on which decisions that produce legal effects concerning the natural person or, similarly, significantly affect the natural person, are taken;
• processing on a large scale of personal data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, as well as biometric data for the purpose of uniquely identifying a natural person, data concerning health, or a natural person's sex life or sexual orientation, and personal data relating to criminal convictions as well as offenses;
• processing carried out for systematic monitoring of a publicly accessible area on a large scale, such as video surveillance in shopping centers, stadiums, markets, parks, and other similar spaces;
• processing on a large scale of personal data pertaining to vulnerable natural persons, especially to minors or employees, via means of automated monitoring and/or systematic recording of their behavior, including carrying out activities involving commercials, marketing, and advertising;
• processing on a large scale of personal data by use of innovative, or by the implementation of, new technology, particularly when such activities limit the ability of data subjects to exercise their rights, such as the use of facial recognition techniques to facilitate access to different spaces;
• processing on a large scale of personal data generated by devices with sensors which send data over the internet or by other means (Internet of Things ('IoT') applications such as Smart TVs, connected vehicles, smart meters, smart toys, smart cities, or other similar applications); and
• processing on a large scale and/or systematic processing of traffic data and/or geolocation data of the data subjects (such as Wi-Fi monitoring, geolocating passengers in public transportation, or other similar cases) when the processing is not necessary for the performance of the services requested by the data subject.

In addition, the Blacklist provides that a DPIA is not mandatory where the processing pursuant to Article 6(1)(c) and (e) of the GDPR has a legal basis in Union law or in the law of the Member State and DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis.

Furthermore, the European Data Protection Board (EDPB) published the following Opinion for Romania Opinion 19/2018 on the draft list of the competent supervisory authority of Romania regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR).

7.5. Data protection officer appointment

As per the Law, the appointment of a DPO is mandatory whenever processing of a national identification number is carried out. The DPO needs to be notified to the ANSPDCP.

In this regard, the ANSPDCP has launched a portal where controllers and processors can notify the DPO to the ANSPDCP (only available to access in Romanian here).

Furthermore, since 2017, the DPO role has been included in the Romanian Classification of Occupations.

7.6. Data breach notification

No specific national requirements have been adopted under general data protection legislation.

According to ANSPDCP Decision No. 128/2018 (only available in Romanian here) on the approval of the standard form for the notification of a personal data breach in accordance with the GDPR, in case of a breach incident, the controller shall complete an online form, comprising the following data:

• name of the controller and whether it is a private or a public legal person;
• identity and contact data (i.e. name and surname, email address, phone number, and mailing address) of the DPO;
• whether it is a separate notification or an addendum to a previous notification;
• information regarding the incident, such as:
  • date and time of the incident;
  • date and time when the controller became aware of the incident:
  • type of data breach (i.e. confidentiality/integrity/availability);
  • nature and content of the data concerned;
  • technical and organizational measures taken (or to be taken); and
  • relevant use of additional controllers (if applicable); and
• additional information with respect to the data breach:
  • summary of the incident;
  • number of affected data subjects;
  • potential consequences for data subjects; and
  • technical and organizational measures implemented in order to minimize the risk; and
• content of notification of the data subjects (if applicable), method of communication, number of affected data subjects informed;
• whether the breach regards data subjects citizens of other Member States (if so, whether relevant authorities of that Member State were notified); and
• electronic signature of the controller.

The form shall be communicated to ANSPDCP via email at [email protected].

Sectoral

Law No. 362/2018 on ensuring a high common level of security of networks and information systems (only available to access in Romanian here), modified by Emergency Ordinance no. 104/2021 on the establishment of the National Cyber Security Directorate (only available in Romanian here), transposes Directive of the European Parliament and of the Council on measures for a high level of security of networks and information systems in the Union (Directive (EU) 2016/1148) (Essential Services Law) sets forth a standard of good practices regarding data security policies and prevention of security incidents in the context of information systems, taking the necessary measures to ensure the protection of the essential security interests of the state. The organizations subject to the Essential Services Law that have the obligation to implement its requirements are mainly digital service providers (providing services specific to the online market, online search engines, and cloud computing services), and essential service operators, defined in the normative act, such as electricity and natural gas suppliers, airlines, railway, naval or road transport, banking institutions, hospitals and private clinics, organizations providing drinking water, and companies that provide digital infrastructure (IXP, DNS, TLD).

Such law mainly regulates the following aspects:

• minimum security requirements for the networks and information systems of essential services operators and digital services providers;
• specific requirements for notifying security incidents to the National Cyber Security Directorate (DNSC) The DNSC is designated as a single point of contact at the national level in case of cybersecurity incidents (it has a response team for security incidents (CSIRT)), develops and updates, inter alia, technical rules on minimum requirements for the security of networks and information systems, develops, and updates technical rules on compliance with security incident notification obligations by operators and providers provided by law; and
• audit controls for compliance with the organizational and security requirements provided under Essential Services Law.

Failure to comply with the abovementioned legal obligations may result in administrative fines of at least RON 3,000 lei (approx. $650) and up to 5% of turnover provided in the last financial situation reported by the economic operator (percentage applies to legal entities with a turnover of over RON 2 million (approx. $435,260). The DNSC may take urgent provisional measures including the cessation of activities, which can be maintained for up to 90 days, a term that can be supplemented if needed by 90 additional days.

Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the ePrivacy Law) sets forth a series of requirements that electronic communication services providers must follow in the case of a personal data breach. These requirements are supplemented by the provision of the Commission Regulation of 24 June 2013 on the Measures Applicable to the Notification of Personal Data Breaches under the Directive 2002/58/EC on Privacy and Electronic Communications (Regulation (EU) 611/2013) (the Regulation), which sets out additional details on the Directive on Privacy and Electronic Communications' (Directive (EU) 2002/58) (as amended) data breach notification requirements.

Pursuant to the aforementioned legal framework, whenever electronic communication services providers suffer a data breach, they should notify the ANSPDCP of the same, irrespective of the gravity of the breach.

In addition, when such a breach may impact the personal data or private life of a subscriber, the provider of electronic communication services must also notify the concerned data subjects. Such notification would, however, not be necessary if the provider demonstrates to the ANSPDCP that it has applied adequate security measures with respect to the data affected by a security breach. Following the analysis of the respective security breach, the ANSPDCP may order the provider to notify the concerned subscribers.

The above notifications must contain at least:

• a description of the nature of the breach;
• the contact details where additional information on this topic may be obtained; and
• the recommendations as regards the measures for the mitigation of possible negative consequences stemming from such breach.

The minimal content of the data breach notifications is outlined in Annex I of the Regulation.

In addition, providers of electronic communication services must keep evidence of data security breaches that have occurred.

While the GDPR has introduced a general requirement for the controllers to comply with data breach notification requirements, the specific data breach requirements under the ePrivacy Law and the Regulation continue to apply to electronic communication services providers. Failure to comply with the abovementioned legal obligations may result in administrative fines from RON 5,000 (approx. $1,090) to RON 100,000 (approx. $21,760). In cases where companies have a turnover exceeding RON 5 million (approx. $1.1 million), fines can amount to up to 2% of the respective companies' turnovers.

7.7. Data retention

Article 5 of the ePrivacy Law states that controllers are under the obligation to delete or anonymize traffic data pertaining to users and subscribers when such data are no longer necessary for the communication, but no later than three years from the communication date.

Furthermore, Article 12 of the ePrivacy Law provides for a retention period of five years from the date of request, or until the issuing of a final court decision applicable to traffic data, equipment identification data, and localization data when retention is requested by the court, criminal prosecution authority, or national security authority for preservation of evidence.

Law 363/2018 stipulates in Article 37 that the controller had the obligation to document all breach incidents and retain such records for a period of five years since notifying the supervisory authority.

In addition, according to Article 45, the operator shall be required to keep records of transfers for a period of ten years which shall, on request, be made available to the supervisory authority.

Accounting Law No. 82/1991 amended by Law No. 36/2023 and Order of the Ministry of Public Finance No. 2634/2015 regarding the financial-accounting documents amended by Order No. 1447/2023 (only available in Romanian here) expressly provide that:

• the mandatory accounting records and the supporting documents underlying the entries in the financial accounts shall be kept in the archives for five years from July 1 of the year following the end of the financial year in which they were drawn up, including for the payroll statements; and
• persons who use computerized automatic data processing systems shall be obliged to ensure that the data recorded in the accounts are processed in accordance with the applicable accounting regulations, checked, and stored on technical media for five years from July 1 of the year following the end of the financial year in which they were drawn up.

Law No. 16/1996 regarding the National Archives (only available in Romanian here), Annex 6, and Government Ordinance No. 905/2017 regarding the general register of employees' records (only available in Romanian here) provide for a term of 75 years from the date of creation for personnel files and similar work data. Following the response of the National Archives no. ANB-6739-R dated 13.07.2022, it is recommended to reduce the retention period provided for in the mentioned Law from 75 years to 50 years, taking into account the current practice and the existing social impact.

Law No. 190/2018 on measures implementing Regulation (EU) 2016/679 stipulates a maximum period of 30 days (but also proportionate to the purpose of the processing) for monitoring systems by means of electronic communications and/or by means of video surveillance at the workplace.

Law No. 290/2004 concerning the criminal record provides for a period of validity of six months from the date of release of the Criminal record.

Law no. 129/2019 on preventing and combating money laundering and terrorist financing provides for a retention period of 5 years from the date of termination of the business relationship with the customer or from the date of the occasional transaction - for supporting documents and transaction records (e.g. account statements, commercial correspondence, history and purpose of transactions).

7.8. Children's data

No specific national requirements have been adopted, and therefore the standard age for consent under the GDPR applies, which is 16 years (Article 8 of the GDPR) in case of the services on information society. In case of other services, Romanian Civil Code rules shall apply, as per which:

• children under 14 years need consent of the legal guardian; and
• children between 14 and 18 years may consent alone or with the confirmation of their legal guardian, depending on the effects of the act to which they are consenting.

7.9. Special categories of personal data

Processing of genetic, biometric, or health data

The processing of genetic, biometric, or health data for the purpose of making a decision based on automated processing and profiling may only be carried out with the explicit consent of the data subject, or when this is required by an express legal provision, and with the implementation of suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.

Processing of special categories of data for reasons of substantial public interest

The processing of special categories of data, where such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, may only be carried out if the controller or the third party has implemented the following safeguards:

• technical and organizational measures to ensure that such processing is carried out in accordance with the principles set out in Article 5 of the GDPR, in particular, the data minimization as well as integrity and confidentiality principles;
• if necessary, a DPO has been appointed; and
• they have set up storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion.

Processing of special categories of data by political parties, national minorities organizations, and non-governmental organizations

The processing of special categories of data by political parties, national minorities organizations, and non-governmental organizations may be carried out without the data subject's consent if the following safeguards have been implemented, including:

• technical and organizational measures to ensure that such processing is carried out in accordance with the principles set out in Article 5 of the GDPR, in particular, the data minimization and integrity and confidentiality principles;
• if necessary, a DPO has been appointed; and
• the setting up of storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion.

It should be noted that under Article 2 of the Law, performing tasks in the 'public interest' includes the activities of political parties or citizen organizations belonging to national minorities and any non-governmental organizations serving the fulfillment of the objectives provided by constitutional law or public international law or the functioning of the democratic system.

Processing of personal data under Law No. 363/2018

For processing of personal data under Law No. 363/2018 of 28 December 2018 (only available in Romanian here) (Law No. 363/2018), certain obligations have been provided, including:

• any normative act that establishes personal data processing activities for the prevention, detection, investigation, prosecution, and control of criminal offenses or the execution of sanctions, education, and measures should at least stipulate:
  • the general context of the processing;
  • the personal data to be processed;
  • the purposes of the processing; and
  • the general and where appropriate, specific retention periods of personal data (such specific retention periods being mandatory where):
    • personal data refers to minors;
    • special categories of personal data are processed; and
    • where the competent authority cannot determine the degree of accuracy of the processed personal data;
• the specific retention periods cannot be longer than half the general storage period established for the envisaged purpose of the processing;
• the obligation to inform the data subject of the identity and contact details of the competent authority, contact details of the DPO, the purposes for which the personal data is processed, and the competent authority's right to postpone/restrict/omit the provision of information to the data subject in certain cases;
• appropriate technical and organizational measures for the processing of personal data;
• the obligation for the competent authority to keep track of all categories of processing activities carried out under its responsibility; and
• the designation of a DPO.

7.10. Controller and processor contracts

No general local requirements exist in respect to contracts being concluded between a controller and processor. With respect to the controller-processor relationship, GDPR standards apply.

8. Data Subject Rights

No specific national requirements have been adopted in relation to data subject rights. However, public authorities falling under Law No. 363/2018 are allowed to answer data subjects' requests within an extended timeframe of 60 days and not 1 month as per GDPR.

8.1. Right to be informed

Law 363/2018 provides in Article 17 for specific derogations from the right to be informed if such a measure is necessary and proportionate in a democratic society in order to:

• avoid obstruction of the proper conduct of criminal investigations;
• avoid prejudicing the prevention, discovery, investigation, prosecution, and combating of criminal offences or the execution of penalties;
• for reasons of public order and safety;
• for national security reasons; or
• protect the rights and freedoms of other persons.

Nevertheless, the data subject is still entitled to be informed with respect to the processing categories not affecting the above-mentioned situations. Furthermore, the data subject shall be informed of the reason behind such measure (unless such disclosure affects the processing entailed above) and of the right to make a complaint with the supervising authority or the relevant court.

8.2. Right to access

No national variations. The GDPR definition applies.

8.3. Right to rectification

No national variations. The GDPR definition applies.

8.4. Right to erasure

No national variations. The GDPR definition applies.

8.5. Right to object/opt-out

No national variations. The GDPR definition applies.

8.6. Right to data portability

No national variations. The GDPR definition applies.

8.7. Right not to be subject to automated decision-making

No national variations. The GDPR definition applies.

8.8. Other rights

No national variations. The GDPR definition applies.

9. Penalties

The sanctioning regime of the ANSPDCP whenever an infringement of the GDPR or national legislation occurs, has been established by both the Law and the ANSPDCP Law.

Sanctioning regime under ANSPDCP Law

The administrative sanctions that the ANSPDCP may impose for infringements of the GDPR or national legislation are:

• a warning; and
• an administrative fine.

These sanctions may be imposed by the ANSPDCP within three years from the date when the infringement occurred. However, such term will be interrupted if any legal proceeding has been carried out by the ANSPDCP, without exceeding a maximum term of four years. Where infringements occur continuously or are the result of actions or inactions, that have occurred at different time intervals, based on the same resolution, yet each one of them has been carried out in the context of the same offence, such term will start from:

• the data of the discovery; or
• from the date of cessation of the last action, if this moment occurs prior to the discovery.

When the amount of the fine exceeds €300,000, the fine will be applied only through a decision of the Chairman of ANSPDCP.

Furthermore, corrective measures can be applied either by decisions of the ANSPDCP or by the minutes issued by the ANSDPCP's representatives. However, certain corrective measures, for example, temporary or definitive limitation on processing, rectification, or erasure of personal data, restriction of processing, can only be applied by decisions of the ANSPDCP.

Notably, the imposed sanctions or corrective measures can be challenged within 15 days from the date when the minutes or decision was communicated or handed over, before the competent tribunal. The court's judgement can only be appealed before the competent court of appeal. The challenge will only suspend the payment obligation until a definitive judgement has been pronounced. Any applied fine must be paid within 15 days from the date when the minutes or decision was communicated or handed over.

In the event of non-compliance with the measures ordered, or in the case of a tacit or express refusal to provide all the information and documents requested in the investigation, or in the case of a refusal to carry out the investigation, the ANSPDCP may impose by decision a fine of up to RON 3,000 (approx. $650) for each day of delay, calculated from the date set by the decision.

With regards to complaints submitted or investigations started prior to May 25, 2018, which are currently pending to this date, the ANSPDCP will impose fines according to the provisions applicable at the time the infringement occurred, if the fines imposed by the GDPR higher.

Sanctioning regime under Law No. 363/2018

The rules by which public authorities and bodies are sanctioned are different than any other entity. As such, any infringement of the GDPR or national legislation by public authorities and bodies will first be sanctioned with a warning and a remedy plan will be imposed by the ANSPDCP, which will also set a remedy term.

If within 10 days of the ending of the remedy term, the public authority or body fails to fulfil the measures set out in the remedy plan, then the ANSPDCP may impose pecuniary sanctions. Under the provisions of Law No. 363/2018, the competent authority may be granted an extension on the remedy term for up to 30 days.

Nonetheless, the administrative fines in such cases are capped at a maximum of RON 200,000 (approx. $43,530).

As regards private entities or individuals, such provisions have not been regulated. Therefore, such entities may be sanctioned directly with a fine within the limits set out in the GDPR, depending on the seriousness and the consequences of the infringement.

Sanctioning regime under Law 362/2018 on ensuring a high common level of security of networks and information systems

The sanctioning regime pertaining to essential service providers entails special provisions as well. Hence, prior to imposing a sanction for infringement of any obligation under the Essential Services Law or any act issued by the DNSC, the auditing body shall notify the essential service provider in default communicating the infringement, the mandatory measures to be implemented, the deadline and the potential sanction if the provider does not comply.

Therefore, subject to the nature of the infringement, the administrative fines fall between RON 3,000 (approx. $650) and RON 50,000 (approx. $10,880) with up to RON 100,000 (approx. $21,760) for repeated infringements.

Furthermore, undertakings with a turnover exceeding RON 2 million (approx. $435,270) are subject to administrative fines between 0.5% and 2% of the turnover, with up to 5% of the turnover for repeated infringements.

Sanctioning regime under Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector

The rules by which providers of electronic communications are sanctioned also have their regime. In this regard, for infringements of the provisions stipulated in Law No. 506/2004, the administrative fines range between RON 5,000 (approx. $1,090) and RON 100,000 (approx. $21,760).

In addition, undertakings with a turnover exceeding RON 5 million (approx. $1.1 million) are subject to administrative fines up to 2% of the turnover.

Furthermore, ANSPDCP can also apply penalty fines per day for up to RON 5,000 (approx. $1,090) for lack of notification of a security breach to the data subject.

9.1 Enforcement decisions

Since the GDPR entered into force, the ANSPDCP has issued numerous enforcement decisions for failure to comply with the GDPR requirements. Amongst these, we note that the ANSPDCP has applied over 311 administrative fines exceeding, in aggregate, $1.6 million.

Please find below a summary of the most notable sanctioning decisions issued by the ANSPDCP:

• Raiffeisen Bank S.A. and Vreau Credit S.R.L. were fined €170,000 (€150,000 Raiffeisen Bank SA and €20,000 Vreau Credit S.R.L.) for violations of Article 32 of the GDPR (insufficient technical and organizational measures to ensure information security). The ANSPDCP found that two employees of Raiffeisen Bank S.A. received from employees of Vreau Credit S.R.L., through the WhatsApp mobile application, copies of IDs of natural persons (potential clients of Vreau Credit S.R.L.). The employees of Raiffeisen Bank S.A. performed scoring simulations through the computer application used by Raiffeisen Bank S.A. in the crediting activity and the result of the credit scores was communicated back to the employees of Vreau Credit S.R.L., with the infringement of the internal procedures. The authority found that 1,194 simulations were performed, with 1,177 individuals being affected (only available in Romanian here);
• UniCredit Bank S.A was fined €130,000 for a breach of Article 25(1) of the GDPR relating to the principles of Data Protection by Design and by Default. The fine was issued as a result of the failure to implement appropriate technical and organizational measures which resulted in the online disclosure of the IDs and addresses of over 300,000 data subjects (only available in Romanian here);
• Rompetrol Downstream S.R.L. was fined €110,000 for violations of Articles 32(1)(b), 32(2), and 32(4) of the GDPR by failing to: implement adequate technical and organizational measures to ensure a level of security correspondent to the risk of processing; and take measures to prevent any natural person with access to personal data under its authority from processing the personal data without authorization. The ANSPDCP found that personal data from Rompetrol Downstream's customers was repeatedly accessed on an internal level without authorization and illegally disclosed for the purpose of obtaining loans on behalf of the affected customers. The personal data illegally disclosed included names and surnames, identity card numbers, personal numeric codes, addresses, places of birth, photos, as well as data contained in the salary certificates (date, signature, income, and seniority) (only available in Romanian here); and
• Banca Transilvania S.A. was fined €100,000 for disclosure in the public space (online) of the statement requested by the controller from a customer about how he intended to use a certain amount of money that he wanted to withdraw from his account. This statement was distributed among several employees of Banca Transilvania on work email addresses. One of the employees listed the e-mail containing the customer's statement, as well as the email containing the internal conversation between the bank's employees. Another employee photographed the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on Facebook and on a website. The violations found are as follows:
  • lack of sufficient measures to ensure that any natural person acting under the authority of the bank who has access to personal data only processes them at the request of the controller; and
  • ineffectiveness of the internal training of the bank's employees regarding the observance of the personal data protection norms of the data subjects.

In the civil decision, the Court of Appeal held that the casualty with which Banca Transilvania employees acted, transmitting the personal data of the bank's client to one another and third parties, attests to the ignorance of work procedures regarding the processing of personal data, but also importantly their inability to identify and qualify the data they had access to as personal data, which indicated an acute lack of effective training. Moreover, the Court stated that the ANSPDCP was correct in qualifying the seriousness of the amount of personal data disseminated by bank employees, their sensitive nature, the manner of dissemination, noting the extremely large number of people who gained access to the bank's customer data for an indefinite period of time. Along similar lines, the Court provided that the ANSPDCP properly capitalized on the criteria provided in Article 83(2) (c) to (k) of the GDPR, noting that this was evidenced by the examination of the criteria, the fine which was much lower than the maximum available, and the detailed analysis performed.

• ING Bank N.V. Amsterdam – Bucharest Branch was fined €80,000 for insufficient technical and organizational measures to ensure information security. The ANSPDCP found that the credit institution failed to implement adequate measures for its automated data processing system during the settlement process of card transactions, resulting in double transactions being executed. The non-conformity affected over 220,000 customers (only available in Romanian here).
• UIPATH S.R.L.  was fined €70,000 for data security violations. The ANSPDCP found that Uipath had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the processing risk and to ensure the confidentiality of the data processing, which led to the unauthorized disclosure and unauthorized access to personal data (user names and surnames, the unique identifiers of each user, e-mail addresses, the names of the company where the user is employed, the countries, and details of the level of knowledge obtained within the courses taught by UiPath) of about 600,000 UiPath users. In light of the above, the ANSPDCP imposed a fine of €70,000 on Uipath for infringing Articles 25 and 32 of the GDPR, and a corrective measure ordering Uipath to implement a mechanism, applied at regular intervals, for the periodic testing, evaluation, and assessment of the effectiveness of the measures adopted, taking into account the risk posed by the processing, in order to ensure an adequate level of security and avoid similar security incidents in the future (only available in Romanian here).
• Dante International S.A. was fined €40,000 for infringement of Article 12 para. (2) and Article 17 para. (1) of Regulation (EU) 2016/679. The Supervisory Authority found that: i) Dante International SA has violated Art. 12 para. (2) in relation to Article 17 of the GDPR, as well as the provisions of Article 17 para. (1) of the GDPR, as regards the controller's obligation to facilitate the exercise of data subjects' rights and to delete their data without undue delay; ii) Dante International SA has infringed Article 13(1)(b) of the GDPR. (1) lit. (c), (e), (f) and Art. 14 para. (1) lit. (c), (e), (f) of the GDPR, because at the time the investigation started, the information on the emag.hu website did not contain complete information on transfers to third states, the purposes and recipients of the data in this context; and iii) Dante International SA infringed Article 6 para. (1)(a) of the GDPR by further processing the e-mail address of a data subject in correspondence with him or her after his or her request for rectification, without his or her consent (only available in Romanian here).
• RESTART ENERGY ONE S.A. was fined €33,000 for security and cookie consent failures. At the end of its investigation, the ANSPDCP found that a file from Restart Energy One's website containing the personal data of at least 750 data subjects was publicly accessible via a link generated by search engines, during a period of approximately two and a half years. Furthermore, the ANSPDCP determined that, by accessing Restart Energy One's website, cookies that were not technically necessary were installed on the user's device before the user could consent to them. The ANSPDCP also discovered that the 'refuse' button did not stop the installation of cookies on the user's device. In light of the above, the ANSPDCP found that Restart Energy One had violated Articles 32(1)(b) and 32(1)(d) in conjunction with Article 32(2) of the GDPR, as well as Article 4(5) of the Electronic Communications Law. Besides the fines, the ANSPDCP also ordered Restart Energy One to implement a procedural plan that includes testing, evaluation, and periodic assessments of all systems and their subsequent changes, especially on the website managed by Restart Energy One (only available in Romanian here).
• Hora Credit IFN S.A. was fined €24,000 for data breach. Following its investigations, the ANSPDCP found that Hora Credit did not adopt sufficient personal data security measures to prevent the unauthorized disclosure of personal data to third parties, in violation of Article 32 of the GDPR. The ANSPDCP also faulted Hora Credit for not notifying the ANSPDCP of the security breach within 72 hours from the date Hora Credit became aware of it, in contravention of Article 33(1) of the GDPR. Furthermore, the ANSPDCP noted that Hora Credit failed to respond to the requestor regarding the source of collection of their personal data, in breach of Articles 15(1), 12(3), and 12(4) of the GDPR. In light of the above, the ANSPDCP imposed a total fine of €24,000 on Hora Credit. Additionally, the ANSPDCP ordered the company to implement corrective measures, including: adequate and effective security measures, including validation of collected email addresses, encryption of transmitted documents, training the people who process data under its authority, as well as the correct management of requests and notifications received; contacting the requestor to ask them to take measures to delete, destroy, as the case may be, the personal information to which they had access; appropriate internal policy for identifying risks, analyzing them, and notifying ANSPDCP in the event of a security breach; informing Hora Credit's client of the breach of the security of their data; and communicating to the complainant an answer to their request according to Article 15(1) of the GDPR (only available in Romanian here).

According to ANSPDCP annual activity reports, since the GDPR entered into force, regarding the activity of representation before Romanian Courts, by March 31, 2024, there have been 236 disputes challenging the sanctions/ corrective measures applied by the authority.