Law no. 677 of 2001 on the Protection
of Individuals with Regard to the Processing of Personal Data and
the Free Movement of Such Data, as further amended ("Law no.
Law no. 506 of 2004 on the Processing
of Personal Data and the Protection of Privacy in the Electronic
Applicability of the Law no. 677
The provisions of the Law no. 677 apply when the data controller
(i) is domiciled in Romania, or (ii) uses equipment or means to
process personal data located in Romania, (unless the equipment or
means are used only for purposes of transit data through
Romania). If the data controller uses means and equipment in
Romania, but is not domiciled in Romania, the data controller must
designate a representative in Romania.
The processing of personal data is defined by Law no. 677 as any
operation or set of operations that involving personal data,
performed by automatic or non-automatic means, such as collection,
recording, storage, adaptation or alteration, retrieval,
consultation, use, disclosure to a third party by transmission,
dissemination or by any other means.
The personal data controller is a natural, or legal person,
which decides on the purpose and means of the personal data
processing, and operates a recording system of personal data
collection and processing which provides specific criteria for
accessing the respective data.
Notification of the Data Processing
According to Law no. 677, the data controllers must notify the
personal data processing to the National Authority for the
Supervision of Personal Data Processing (the "DPA").
The Notification is sent to the DPA before starting any
processing or transfer of personal data. All the documents to be
filed with the DPA must be in Romanian. No filing fees must be paid
when filing a Notification.
If the data controller processes personal data for two or more
unrelated purposes, then it has the obligation of filling in
separate Notifications for each of these purposes. The data
controller must notify the DPA prior to starting any processing of
the personal data.
The failure to notify, in the cases in which the Notification is
mandatory, as well as the incomplete Notification or the
Notification which contains false information, are violations
punishable by fines, provided that they are not committed in such
circumstances that will make them subject to criminal law.
Consequently, the data controller must first obtain the
DPA's confirmation that the Notification is valid and was
assigned a registration number in the Register of Recording of the
Personal Data Processing. After receipt of the above mentioned
confirmation, the data controller may start processing and/or
transferring the data.
Sensitive data are the data related to racial or ethnical
origin, political, religious, philosophical opinion, criminal
offences, minor offences or other convictions, trade union
membership, as well as data regarding health or sex life. In
addition to these data, under the Law no. 677, personal
identification numbers, or other personal data with a general
identification function i.e., national ID/passport details are
considered sensitive data. The collection and processing of
sensitive data require the prior and express consent of the owner
of the data.
Transfer of the personal data abroad
In accordance with the Law no. 677, the transfer of personal
data to another country is subject to the filing of a prior
Notification with the DPA. The transfer of data does not have to be
authorized by the DPA if the data are transferred to an EU/EEA
country, or to a non-EU/EEA country for which the European
Commission has issued an adequacy decision or other mechanisms are
in place to ensure an adequate level of protection. Further to the
Decision of the European Court of Justice of October 6, 2015 which
invalidated the Safe Harbor principle, the US-EU Safe Harbor
framework is no longer recognized as providing an adequate level of
protection. As a consequence, currently the transfer of the
personal data to the USA may be done based on the Standard
Contractual Clauses approved by the European Commission, or based
on the consent of the data subject.
Registry for Recording for the Personal Data Processing
The Registry of Recording of the Personal Data Processing has
the role of assuring the transparence regarding the data
controllers' activities and may be consulted by any interested
person, such being available online on the DPA's website.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In early January, the Article 29 Working Party (WP29) adopted its 2017 Action Plan (Action Plan) on the implementation of the General Data Protection Regulation (GDPR).
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).