Privacy Law at Romania
Privacy Law in Romania is primarily governed by both European Union regulations, specifically the General Data Protection Regulation (GDPR), and national laws that complement EU legal requirements. Romania, as a member of the European Union, is bound by the GDPR, which sets the framework for the protection of personal data in the country. Below is an overview of privacy laws in Romania:
1. General Data Protection Regulation (GDPR)
Since Romania is a member of the European Union, it is fully subject to the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. The GDPR is the primary legal framework for data protection in all EU member states, including Romania. It aims to enhance the protection of personal data, strengthen individuals' privacy rights, and standardize data protection laws across the EU.
Key Provisions of the GDPR:
Data Protection Principles: Personal data should be processed lawfully, transparently, and for specified purposes. It should also be accurate, kept up to date, and stored for no longer than necessary.
Rights of Individuals: The GDPR provides several rights to individuals, such as the right to access, the right to rectification, the right to erasure (the right to be forgotten), the right to restrict processing, and the right to data portability.
Consent: Data processing should generally be based on the informed consent of the individual, except for certain legal grounds, such as the performance of a contract.
Data Breach Notification: Organizations must notify the relevant data protection authority within 72 hours of becoming aware of a data breach.
Data Protection Officer (DPO): Certain organizations are required to appoint a Data Protection Officer (DPO) to oversee compliance with the GDPR.
2. National Legislation: Law No. 190/2018 (on the processing of personal data)
In addition to the GDPR, Romania has implemented Law No. 190/2018, which specifically addresses the national implementation of the GDPR. This law outlines additional rules and provisions that complement the GDPR in the context of Romania's legal framework. It sets specific conditions and exceptions for the processing of personal data in the public and private sectors.
Key aspects of Law No. 190/2018 include:
Processing of Personal Data in Public Sector: Provides guidelines on the conditions under which public institutions can process personal data, particularly regarding national security, public health, and law enforcement.
Special Categories of Personal Data: Sets out conditions for processing sensitive personal data, such as health data, racial or ethnic origin, political opinions, etc.
Exemptions and Derogations: Identifies scenarios where certain rights, such as the right to access or rectification, may be restricted (e.g., for national security or criminal investigations).
3. Romanian Data Protection Authority (ANSPDCP)
Romania’s National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, or ANSPDCP) is the regulatory body responsible for overseeing compliance with data protection laws in Romania. It is the equivalent of the data protection authority found in other EU member states.
Responsibilities of ANSPDCP:
Monitoring Compliance: The authority monitors how organizations in Romania collect, process, and protect personal data to ensure they comply with the GDPR and national data protection laws.
Handling Complaints: ANSPDCP investigates complaints filed by data subjects and ensures their privacy rights are respected.
Enforcement and Penalties: The ANSPDCP has the authority to issue warnings, impose fines, and take corrective actions if an organization fails to comply with the GDPR or national laws.
Providing Guidance: It issues guidelines and recommendations to help organizations understand and comply with data protection regulations.
4. Rights of Data Subjects Under Romanian Law
Individuals (data subjects) in Romania enjoy several fundamental rights under both the GDPR and Romanian data protection laws. These rights give individuals control over their personal data and how it is used:
Right to Access: Individuals have the right to access their personal data held by organizations and obtain information on how it is being processed.
Right to Rectification: Individuals can request the correction of inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten): Individuals can request that their personal data be deleted when it is no longer necessary for the purposes for which it was collected.
Right to Restrict Processing: Individuals can request the restriction of processing their personal data in certain circumstances.
Right to Data Portability: Data subjects can request that their personal data be transferred to another service provider in a structured, commonly used, and machine-readable format.
Right to Object: Individuals can object to the processing of their personal data, especially for marketing purposes.
Right to Not Be Subject to Automated Decision-Making: Individuals have the right to avoid decisions based solely on automated processing, including profiling, unless certain exceptions apply.
5. Data Breach Notification
Under the GDPR, and as implemented by Romanian law, organizations must notify both the relevant supervisory authority (ANSPDCP) and the affected individuals within 72 hours of discovering a data breach that may result in harm to individuals. Failure to comply with this notification requirement can lead to significant fines.
Notification to the Supervisory Authority: If the breach is likely to result in high risks to the rights and freedoms of individuals, the data controller must notify the ANSPDCP within 72 hours of becoming aware of the breach.
Notification to Affected Individuals: If the breach is likely to have a significant impact on individuals' privacy, organizations must inform the affected individuals without undue delay.
6. Cross-Border Data Transfers
The GDPR establishes strict rules for transferring personal data outside the European Union, ensuring that individuals' privacy is maintained when their data is transferred to countries that may not have adequate data protection laws.
Adequacy Decisions: Transfers of personal data to countries outside the EU are allowed only if the European Commission has determined that the country provides an adequate level of data protection.
Appropriate Safeguards: If the country does not have an adequacy decision, organizations must implement safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to ensure that personal data is protected during transfer.
7. Penalties for Non-Compliance
Organizations that fail to comply with Romania’s data protection laws, including the GDPR and Law No. 190/2018, can face significant penalties. Penalties for non-compliance may include:
Fines: The GDPR allows fines of up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious violations.
Warnings: For less severe infringements, organizations may receive a warning or a reprimand.
Corrective Actions: The ANSPDCP may require organizations to take corrective measures, such as implementing new data protection procedures or altering their data handling practices.
8. Exemptions and Special Provisions
There are specific exemptions and special provisions in Romanian law and the GDPR that may limit certain privacy rights in specific situations, such as:
National Security and Law Enforcement: Personal data may be processed for national security purposes or in criminal investigations, subject to specific rules and conditions.
Public Interest: Data processing for public interest purposes, such as scientific research or public health, may have additional provisions that allow for the use of personal data without the full range of consent requirements.
Contractual Necessity: Data processing necessary for the performance of a contract may also be exempt from certain restrictions.
✅ Summary of Privacy Law in Romania
| Aspect | Details |
|---|---|
| Primary Law | GDPR and Law No. 190/2018 (on personal data processing) |
| Supervisory Authority | National Supervisory Authority for Personal Data Processing (ANSPDCP) |
| Individual Rights | Access, rectification, erasure, restriction, objection, portability |
| Data Breach Notification | Notify the ANSPDCP and affected individuals within 72 hours of a breach |
| Cross-Border Data Transfers | Allowed with appropriate safeguards or adequacy decisions |
| Penalties | Fines up to €20 million or 4% of global turnover, corrective actions, warnings |
| Exemptions | National security, public interest, and contractual necessity |
Conclusion
Romania’s privacy laws are closely aligned with the GDPR, providing strong protections for personal data while ensuring that individuals' privacy rights are upheld. The ANSPDCP plays a critical role in monitoring and enforcing compliance with these laws. Organizations operating in Romania must adhere to strict data protection rules and be mindful of their obligations under both the GDPR and national legislation.
RELATED Blog
0 comments