Introduction to Romanian data protection law regime

Romania, as a Member-State of the European Union, is a subject to the General Data Protection Regulation 2016/679 (hereafter referred to as GDPR). On the basis of this act and for the purpose of its implementation, the Romanian authorities adopted a new Law no. 190/2018 (hereafter referred to as Data Protection Law), which entered into force on 31 July 2018. Besides of that, since 24 June 2018 the Law no. 129/2018 regarding the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing (hereafter referred to as National Supervisory Authority) also applies.

Despite the fact that the Data Protection Law is more in line with the provisions of GDPR, it has several features.

Firstly, under the broad wording of GDPR the term ‘personal data’ means information relating to an identified or identifiable natural person. However, Romanian legislator stipulated that the national identifier should be a specific number which has a general application and identifies a natural person in certain record systems. For example, it may be a natural identification number, passport number, driving licence number and national health insurance number. It is important to remember that information about legal entities is not a personal data, but some exceptions are applied to sole traders and partnerships.

Secondly, the Data Protection Law pays a special attention to the processing of the following categories of information:

  • genetic data, biometric data or health data. The processing of such information is permitted only with consent of Data Subject for the purposes of automated decision-making, profiling or other processing required by law. At the same time, Controller has an obligation to implement adequate measures for the protection of the rights, freedoms and legitimate interests of individuals.
  • national identification number. The processing activities may be carried out in the situations provided for in Article 6 (1) of GDPR. Also, in cases where processing is based on the legitimate interests pursued by the Controller or by a Third Party, the former one should provide some guarantees, including the extension of adequate technical and organizational measures, the appointment of Data Protection Officer, the establishment of a retention policy in accordance with the nature of the personal data and systematic training of the personnel that handles personal data processing activities.
  • personal data within a framework of employment relationships. In this context the processing through the electronic monitoring or video surveillance systems is only allowed if the legitimate interests of the employer prevail over the employee’s rights and interests; an employee is expressly informed about such monitoring activities by employer, as well as properly consulted by trade union or employees’ representative. Personal data of employee shall be retained only for a period proportionate with the processing purpose and in any circumstance for no more than 30 days.
  • personal data within the performance of a task with a special public interest. For journalistic, academic, artistic, statistical, scientific, historical research and literary expression purposes, the processing may be performed only if it refers to personal data: (a) which were manifestly made public by the Data Subject, or which are strongly related to the publicity of the person of the Data Subject, or (b) which needed to archive the general public interest.

Thirdly, notwithstanding the detailed regulations mentioned above, the Data Protection Law does not include any specific provisions in respect of processing the personal data of children and information about criminal offences.

And finally, the National Supervisory Authority has a power to access any processing equipment and storage devices and take statements from individuals. In relation to Data Subject’s complaint, the National Supervisory Authority is obliged to respond within 30 days from the date of its filling.

Questions regarding Romanian business or data protection law? We are happy to assist you with our partner:

Elena Grecu attorney at law