The relevant Romanian data protection laws are:

  • Law no. 677 of 2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, as further amended ("Law no. 677")
  • Law no. 506 of 2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector

Applicability of the Law no. 677

The provisions of the Law no. 677 apply when the data controller (i) is domiciled in Romania, or (ii) uses equipment or means to process personal data located in Romania, (unless the equipment or means are used only for purposes of transit data through Romania).  If the data controller uses means and equipment in Romania, but is not domiciled in Romania, the data controller must designate a representative in Romania.

Data Controllers

The processing of personal data is defined by Law no. 677 as any operation or set of operations that involving personal data, performed by automatic or non-automatic means, such as collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure to a third party by transmission, dissemination or by any other means.

The personal data controller is a natural, or legal person, which decides on the purpose and means of the personal data processing, and operates a recording system of personal data collection and processing which provides specific criteria for accessing the respective data.

Notification of the Data Processing

According to Law no. 677, the data controllers must notify the personal data processing to the National Authority for the Supervision of Personal Data Processing (the "DPA").

The Notification is sent to the DPA before starting any processing or transfer of personal data. All the documents to be filed with the DPA must be in Romanian. No filing fees must be paid when filing a Notification.

If the data controller processes personal data for two or more unrelated purposes, then it has the obligation of filling in separate Notifications for each of these purposes. The data controller must notify the DPA prior to starting any processing of the personal data.

The failure to notify, in the cases in which the Notification is mandatory, as well as the incomplete Notification or the Notification which contains false information, are violations punishable by fines, provided that they are not committed in such circumstances that will make them subject to criminal law.

Consequently, the data controller must first obtain the DPA's confirmation that the Notification is valid and was assigned a registration number in the Register of Recording of the Personal Data Processing. After receipt of the above mentioned confirmation, the data controller may start processing and/or transferring the data.

Sensitive Data

Sensitive data are the data related to racial or ethnical origin, political, religious, philosophical opinion, criminal offences, minor offences or other convictions, trade union membership, as well as data regarding health or sex life. In addition to these data, under the Law no. 677, personal identification numbers, or other personal data with a general identification function i.e., national ID/passport details are considered sensitive data. The collection and processing of sensitive data require the prior and express consent of the owner of the data.

Transfer of the personal data abroad

In accordance with the Law no. 677, the transfer of personal data to another country is subject to the filing of a prior Notification with the DPA. The transfer of data does not have to be authorized by the DPA if the data are transferred to an EU/EEA country, or to a non-EU/EEA country for which the European Commission has issued an adequacy decision or other mechanisms are in place to ensure an adequate level of protection. Further to the Decision of the European Court of Justice of October 6, 2015 which invalidated the Safe Harbor principle, the US-EU Safe Harbor framework is no longer recognized as providing an adequate level of protection. As a consequence, currently the transfer of the personal data to the USA may be done based on the Standard Contractual Clauses approved by the European Commission, or based on the consent of the data subject.

Registry for Recording for the Personal Data Processing

The Registry of Recording of the Personal Data Processing has the role of assuring the transparence regarding the data controllers' activities and may be consulted by any interested person, such being available online on the DPA's website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.