Data Protection Law in Romania
Privacy and protection of personal data is a relatively new field for the legislative framework in Romania. Being a member of the European Union since January 1st, 2007, Romania implemented the EU Data Protection Directive 95/46/EC into the national legislation in November 2001 through Law no 677/2001 on the protection of individuals with regards to the processing of personal data and the free movement of such data (“The Data Protection Law“).
The data protection law applies to the processing of personal data performed, totally or partially, through automatic means, as well as to the processing through means other than automatic. Its provisions also address crucial factors such as legitimate processing, data quality, definitions of the fundamental terms (e.g. operator, data subject, processing etc.), the rights of the data subjects and the obligations of the operators of personal data, and it designates the Romanian Supervisory Authority on data protection.
In addition to providing guarantees in relation to the collection and processing of personal data, it outlaws the processing of “sensitive” data on a person’s race, politics, health, religion, sexual life, criminal record, etc., in the absence of proper legal safeguards.
The Law also recognizes fundamental rights for the data subject, such as the right to be informed about the processing, the right to access the information, the right to oppose at any time to the processing, provided that the person has legitimate reasons for it. Furthermore, the data subject has the right to oppose to the processing of its personal data, if the purposes of the processing are directed towards marketing research, to obtain or to transmit commercial, advertising or marketing information.
NATIONAL DATA PROTECTION AUTHORITY
At first, Romania chose to delegate the responsibility of applying the personal legislation to the “People’s Advocate”, an ombudsman institution with general jurisdiction on the defense of individuals’ rights and freedoms in their relationship with the public authorities. The institution treated data protection as a secondary topic and so, this situation imposed the creation of a specialized structure for the implementation of the data protection legislation. The National Authority for the Surveillance of Personal Data Processing (in romanian “Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal” or “ANSPDCP“) was set up through the Law no. 102/2005 and came into force on the 12th of May 2005.
All public and private entities processing personal data must notify the ANSPDCP, through the online standard notification form, in respect of their personal data processing with at least 30 days in advance and obtain a data controller number, unless an exemption applies.
DATA PROTECTION OFFICERS
Currently, there is no requirement in Romania for data controllers to appoint a data protection officer.
COLLECTION AND PROCESSING
Under the Data Protection Law, data controllers may collect and process personal data provided that the data subject has expressly and unequivocally consented there to. The data subject’s consent is not required under certain circumstances. Like some other Member States (e.g. France, Ireland and UK) Romania does not provide a definition of “consent” in the national data protection law. Data subjects must be also thoroughly informed in respect of data processing activities.
While personal data transfers outside within the EEA (or to countries with an adequate level of protection) must only be notified through the online form to AMSPDCP, transfer to third party countries outside the EEA requires an authorization from ANSPDCP. If the personal data is transferred to another EU Member State, no other requirement must be met other than ticking the appropriate box in the on line notification form.
ANSPDCP does not recognize intra-group international data transfers based on Binding Corporate Rules.
Data controllers and data processors must take appropriate technical and organizational measures to protect personal data and must ensure a level of security appropriate to the nature of the data.
There is not yet a mandatory requirement in the Data Protection Law to report data security breaches or losses to ANSPDCP or to data subjects.
The ANSPDCD is entitled to investigate any breach of Data Protection Law ex officio or following a complaint filed by a prejudiced data subject. In this sense, ANSPDCP may perform an audit over data processing activities performed by data controllers and may impose administrative fines for failure to comply with the Data Protection Law, ranging from approximately 115€ to 11,400€ (the highest sanction is applied for failure to comply with security measures). Under certain conditions, failure to comply with the Data Protection Law may be considered as a criminal offence.
ONLINE PRIVACY (COOKIES AND LOCATION DATA)
The processing of personal data for electronic marketing purposes is regulated under Law no. 506/2004 on the processing of personal data in the electronic communications sector (traffic data, location data and cookies) implementing Directive 2002/58/CE (“Law 506/2004“). Data subjects must be granted the right to oppose to the processing of their personal data for direct marketing purposes (opt-out).
Romania did not yet implement the EU Cookie Directive.
DLA PIPER “Data protection laws of the world”, http://www.dlapiperdataprotection.com/#handbook/about-section/c1_RO/c2_FR
B. MANOLEA, Institutional framework for personal data protection in Romania, 2005, www.legi-internet.ro Data Protection Laws – ROMANIA 1
Etudiante en Master 2 Droit de l’Economie Numérique à l’Université de Strasbourg.