1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
The Romanian privacy provisions are aligned with the applicable EU law. The main statute in this regard is the EU General Data Protection Regulation (2016/679) (GDPR). Its direct applicability is supplemented by Law 190/2018 on measures implementing the GDPR. The EU e-Privacy Directive (2002/58/EC) has been transposed into national law through Law 506/2004 on the processing of personal data in the electronic communications sector. Moreover, at the national level, specific privacy matters on e-commerce matters are regulated by Law 365/2002 on e-commerce, which transposed the EU E-commerce Directive (2000/31/EC) into national law.
With respect to the processing of personal data in criminal matters, Law 363/2018 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, detection, investigation, prosecution of criminal activities or the execution of criminal convictions, as well as on the free movement of such data, will apply.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Romanian law does not provide for specific requirements on data privacy matters in a particular sector. However, the national legal framework sets out additional requirements that apply to particular cases, such as the following:
- It is forbidden to send commercial communications by email, except where the data subject has expressly consented to receive such communications (Article 6(1) of Law 365/2002).
- The processing of genetic, biometric or health data for automated decision making or profiling purposes is permitted:
- with the explicit consent of the data subject; or
- if the processing is carried out pursuant to express legal provisions, with the establishment of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject (Article 3, para (1) of Law 190/2018).
- Where consumers conclude contracts with professionals, the consumer protection provisions outlined in Emergency Ordinance 34/2014 – which transposed EU Directive 2019/2161 – will apply. Thus, any distance contract under which a trader provides the consumer with digital content or a digital service, where the consumer is not obliged to pay a price but is required to provide personal data, will fall under the legal requirements of the emergency ordinance, as long as the personal data is processed on another legal basis than performance of a contract or compliance of the trader with a legal obligation.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The national authority responsible for enforcing the data privacy legislation is the National Supervisory Authority for Personal Data Processing (ANSPDCP). As provided in the ANSPDCP's law of establishment, its objective is to protect the fundamental rights and freedoms of natural persons – in particular, their right to privacy in relation to the processing of personal data and the free movement of such data.
The ANSPDCP can carry out investigations with respect to entities' compliance with privacy matters (including dawn raids at their premises). The ANSPDCP also handles complaints filed by natural persons with respect to privacy matters, especially where such complaints involve the illegal processing of personal data by controllers. Moreover, the ANSPDCP has:
- corrective powers as set out under Article 58 of the GPDR; and
- the right to apply administrative fines as per Article 83 of the GDPR.
With respect to Law 506/2004 and Law 365/2002, some of the legal provisions are also observed by the National Authority for Management and Regulation in Communications of Romania.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
In terms of industry standards and best practices, the ANSPDCP has not yet been requested to recognise any codes of conduct. On 24 June 2021, the ANSPDCP issued a decision on the approval of additional requirements for the accreditation of certification bodies; but no such certification bodies have as yet been accredited.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The data privacy legal framework applies to all entities that process personal data or are directly involved in activities concerning the processing of personal data.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
As per Article 2 of the EU General Data Protection Regulation (GDPR), the data privacy regime does not apply to personal data that is processed:
- in the course of an activity which falls outside the scope of EU law;
- by EU member states in carrying out activities which fall within the scope of Chapter 2, Title V of the Treaty on European Union;
- by a natural person in the course of a purely personal or household activity; or
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security.
Moreover, the National Supervisory Authority for Personal Data Processing (ANSPDCP) has stated that the GDPR applies only where personal data is collected, registered, stored and otherwise processed through a system of evidence. This basically excludes the applicability of the GDPR where personal data is requested for verification purposes, such as verification of an ID card to confirm that a person is not a minor in order to grant access to a premises which can only be accessed by 18-year-olds.
2.3 Does the data privacy regime have extra-territorial application?
The Romanian data privacy regime applies to the processing of personal data in the context of the activities of an establishment of a data controller or a data processor in Romania, regardless of whether the processing itself takes place in Romania. The regime further applies to entities that are not established in Romania where the processing relates to:
- the offering of goods or services to data subjects in Romania, irrespective of whether payment from the data subjects is required; or
- the monitoring of data subjects' behaviour insofar as that behaviour takes place within Romania or the European Union.
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
There are no specific derogations from the provisions of the EU General Data Protection Regulation in relation to the definition of terms. The key terms are thus defined as follows.
(a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
(d) Data subject
An identifiable natural person who can be identified, directly
or indirectly, in particular by reference to an identifier such as
a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that natural person.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
The specific term is 'special categories of personal data', which refers to:
- data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and
- genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, through a statement or a clear affirmative action, signifies his or her agreement to the processing of personal data relating to him or her.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
The national legislation pays particular attention to the processing of national identification numbers, such as:
- the unique identification number series of an ID card;
- a passport number;
- a driving licence number; or
- a social health insurance number.
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
In Romania, the registration of data controllers or processors is not mandatory. Such an obligation existed under the former data privacy regime (Law 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data), but was repealed as from 25 May 2018.
4.2 What is the process for registration?
4.3 Is registered information publicly accessible?
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
The lawful bases for processing personal data are those set out in the EU General Data Protection Regulation (GDPR).
Thus, personal data can be processed based on:
- performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- compliance with a legal obligation to which the data controller is subject;
- the necessity to protect the vital interests of the data subject or of another natural person;
- the necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
- the legitimate interests pursued by the data controller or by a third party, where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – in particular, where the data subject is a child.
With respect to the processing of sensitive personal data, the same rules provided in the GDPR apply: the processing of sensitive personal data is prohibited, except where the exemptions set out in Article 9(2) of the GDPR apply.
With respect to personal data relating to criminal convictions and offences, as provided in Article 10 of the GDPR, such processing must be carried out only:
- under the control of an official authority; or
- where the processing is authorised by the European Union or national law providing for appropriate safeguards for the rights and freedoms of data subjects.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Personal data in Romania must be processed in compliance with the principles outlined in Article 5 of the GDPR, as follows:
- lawfulness, fairness, and transparency (ie, personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject);
- purpose limitation (personal data must be collected for specified, explicit and legitimate purposes, and must not be further processed in a manner that is incompatible with those purposes);
- data minimisation (processing must be adequate, relevant and limited to what is necessary);
- accuracy (processing must be accurate and data must be kept up to date);
- storage limitation (personal data must be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed);
- integrity and confidentiality (personal data must be processed in a manner that ensures appropriate security of the personal data); and
- accountability (the data controller is responsible for and must be able to demonstrate compliance with the data processing principles).
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Following the practice of the National Supervisory Authority for Personal Data Processing (ANSPDCP), data controllers and processors should pay additional attention to processing based on consent, especially when sending commercial communications to data subjects. The ANSPDCP has issued several fines in this respect, arguing that either:
- the data controller or processor failed to prove that the data subject consented to such processing; or
- the data controller or processor did not correctly address a data subject's request for consent withdrawal.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
In Romania, personal data can be transferred to third parties only if such transfer can be justified on a lawful basis, irrespective of whether the transfer is carried out between data controllers, to joint controllers or from controllers to processors or vice versa.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Additional requirements apply to data transfers outside the European Union or the European Economic Area, except for those countries or territories for which the European Commission has issued an adequacy decision (though which the European Commission states that the legal framework can ensure an adequate level of protection), such as Andorra, Argentina, Canada (only for commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom (under the EU General Data Protection Regulation and the Law Enforcement Directive) and Uruguay.
For other territories, data transfers can be carried out only if:
- the data controller or processor that is party to the agreement has provided appropriate safeguards; and
- enforceable data subject rights and effective legal remedies for data subjects are available.
These requirements can be satisfied through:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard contractual clauses adopted by the European Commission;
- standard contractual clauses adopted by a supervisory authority and approved by the European Commission;
- an approved code of conduct together with binding and enforceable commitments of the data controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Additional attention should be paid to data transfers to the United States following the ruling in Schrems II (C311/18), through which the Privacy Shield was invalidated. Thus, any entity transferring data to the United States based on the Privacy Shield should reassess the contractual mechanism based on which the transfer occurs and implement the necessary safeguards in order for the transfer to legally take place.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Data subjects have the right:
- to be informed about the processing of their personal data;
- to access their personal data;
- to rectify their personal data;
- to the erasure of their personal data (right to be forgotten);
- to restriction of processing;
- to data portability;
- to object to the processing;
- not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject; and
- to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).
Obviously, such rights are not absolute. Taking into consideration the particularities of each case, specific limitations may apply. For example, a data subject cannot exercise the right to erasure if such action may affect the controller in exercising or defending legal claims.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
A data subject can exercise its rights under the EU General Data Protection Regulation (GDPR) by submitting a request in this regard directly to the data controller. The data controller must facilitate the exercise of the data subject's rights under the GDPR. Moreover, the data controller is obliged to provide information on the action taken in relation to the data subject's request without undue delay and in any event within one month of receipt of the request (which may be extended by a further two months where necessary, taking into account the complexity and number of requests).
If the data controller does not respond to the request submitted by the data subject or takes no action in this respect, the data subject can submit a complaint against the data controller to the ANSPDCP and/or seek a judicial remedy from the competent courts.
7.3 What remedies are available to data subjects in case of breach of their rights?
If a data subject considers that the rights have been infringed by the data controller, he or she can submit a complaint to the ANSPDCP. Moreover, the data subject has the right to an effective judicial remedy against a legally binding decision of the ANSPDCP concerning him or her.
Moreover, where the data subject considers that his or her rights under the GDPR have been infringed as a result of the processing of personal data in non-compliance with the GDPR, the regulation provides for the right to an effective judicial remedy, including the right to obtain compensation from the data controller or processor for the damage suffered. However, such damages can only be established by a court of law.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Apart from the legal provisions regulating the appointment of a data protection officer (DPO) reflected in the EU General Data Protection Regulation (GDPR) (Article 37), the appointment of a DPO is mandatory where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the data controller or processor consist of processing operations which, by virtue of their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the data controller or processor consist of processing on a large scale of special categories of sensitive data or personal data relating to criminal convictions and offences.
Law 190/2018 sets out an additional requirement in this respect: a DPO must be appointed in all cases where a national identification number is processed based on the legitimate interest of the data controller.
Failure to appoint a DPO may attract significant fines (of up to €10 million or up to 2% of the total worldwide annual turnover in the preceding financial year).
8.2 What qualifications or other criteria must the data protection officer meet?
The DPO should be appointed based on his or her professional qualities and, in particular, expert knowledge of data protection law (Article 37(5) of the GDPR). Although the specific qualities that a DPO are not mentioned in the GDPR, the Guidelines on Data Protection Officers (issued by the World Forum for Harmonization of Vehicle Regulations and endorsed by the European Data Protection Board) state that the DPO must have:
- expertise in national and European data protection laws and practices; and
- an in-depth understanding of the GDPR.
Knowledge of the business sector and the organisation of the data controller is also useful, as the DPO should have a good understanding of the processing operations carried out, as well as the information systems and data security and data protection needs of the data controller.
With respect to the ability to fulfil his or her tasks, the Guidelines on Data Protection Officers state that this requirement should be interpreted as referring not only to the DPO's personal qualities and knowledge, but also to his or her position within the organisation. The DPO must not be in a position that is incompatible with this function (eg, chief executive officer, chief operating officer, chief financial officer, chief marketing officer, head of the marketing department, head of HR or head of IT).
8.3 What are the key responsibilities of the data protection officer?
The key responsibilities of a DPO are outlined in Article 39 of the GDPR as follows:
- to inform and advise the data controller or processor and employees who carry out data processing of their obligations pursuant to the GDPR and relevant data protection laws;
- to monitor compliance with the GDPR and other relevant data protection provisions, and with the policies of the data controller or processor in relation to the protection of personal data – including the assignment of responsibilities, awareness raising and training of staff involved in processing operations – and to conduct related audits;
- to advise where requested on data protection impact assessments and monitor the company's performance pursuant to the relevant legal provisions;
- to cooperate with the supervisory authority; and
- to act as a contact point for the supervisory authority on issues relating to processing, including the prior consultation referred in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Under Romanian law, the role of the DPO can be outsourced to either an individual or an organisation (eg, a law firm). However, it is of the utmost importance that in such cases, the conflict of interests rule is respected in the same way as for an internally appointed DPO.
When deciding to outsource the role of the DPO, the data controller must take several factors into consideration. For example, in an organisation where data processing activities present a higher degree of complexity, data controllers must ensure that the external DPO:
- has significant knowledge of the business sector and the organisation of the controller; and
- can address on a day-to-day basis the privacy matters which the organisation faces.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
As per Article 5(2) of the GDPR, the data controller is responsible for, and must be able to demonstrate compliance with, the data protection principles. Thus, any aspect that assists with the analysis of particular situations should be documented, at least from a privacy point of view.
Thus, the data controller should:
- keep an adequate record of processing activities;
- implement adequate privacy policies, information notices, data protection impact assessments and legitimate impact assessments (or balancing tests); and
- always observe the GDPR requirements in conducting its activities.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
The National Supervisory Authority for Personal Data Processing (ANSPDCP) often carries out its investigations though requests for information sent to the data controller or processor. Thus, documenting the analysis carried out with respect to data processing activities is the most reliable way to demonstrate compliance with the privacy requirements.
Data controllers and processors should also seek to implement a regular training programme for employees. It is of the utmost importance that such training programmes include practical ways to test employees' knowledge of the GDPR. This enables the data controller or processor to prove that its employees have the necessary knowledge of the data privacy rules and internal procedures in case of an investigation conducted by the ANSPDCP.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
All data controllers and processors must implement adequate security measures in order to protect the personal data processed in their normal course of business. As per Article 32 of the EU General Data Protection Regulation (GDPR), data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Such security measures can vary depending on the activity carried out by the data controller or processor. Where appropriate, such security measures may include:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
As per Article 33 of the GDPR, as a rule, the data controller or processor must notify a data breach to the National Supervisory Authority for Personal Data Processing (ANSPDCP) without undue delay and, where feasible, no later than 72 hours after becoming aware of it. If the ANSPDCP is not notified within 72 hours, such notification must be accompanied by the reasons for the delay. This obligation to notify the regulator will not apply where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The data breach can be notified through the dedicated data breach section on the ANSPDCP's website (www.dataprotection.ro). The notification should contain at least the following information:
- the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach; and
- the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
It is also important to provide the ANSPDCP with information about the context in which the data breach occurred (eg, due to a ransomware attack, human error or other similar event).
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Data breaches must be notified to the affected data subjects if the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication to the data subject must:
- be made with undue delay;
- describe in clear and plain language the nature of the personal data breach; and
- contain at least the information provided to the ANSPDCP when notifying it of a data breach (see question 9.2).
Nonetheless, based on Article 34(4) of the GDPR, if the ANSPDCP considers that a personal data breach should be notified to the data subjects, the data controller or processor can be instructed to proceed as such.
The data controller or processor will be exempt from the obligation to notify the data breach to the affected data subjects only if:
- the data controller has implemented appropriate technical and organisational protection measures, which have been applied to the personal data affected by the data breach – in particular, measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
- notification would involve disproportionate effort, in which case the data controller can instead issue a public communication or similar measure whereby data subjects are informed in an equally effective manner.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
In its latest case law, the ANSPDCP applied sanctions for data breaches caused by:
- ransomware attacks; and
- the sending of emails to incorrect recipients.
Repeated data breaches notifications also recently attracted the administrative liability of the data controller.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Apart from the general requirements provided in the EU General Data Protection Regulation and the information reflected in question 10.2, there are no particular restrictions with respect to the processing of the personal data of employees.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Law 190/2018 sets out specific rules on the processing of personal data in employment relationships. As per Article 5 of Law 190/2018, where monitoring systems by means of electronic communications and/or video surveillance are used in the workplace, the processing of employees' personal data for the purpose of pursuing the legitimate interests of the employer is permitted only if:
- the legitimate interests of the employer are duly justified and override the interests or rights and freedoms of the data subjects;
- the employer has provided the employees with full and explicit prior information;
- the employer has consulted the trade union or, where appropriate, the employees' representatives before introducing the monitoring systems;
- other less intrusive forms and ways of achieving the employer's intended purpose have not previously proved effective; and
- the duration for which the personal data is stored is proportionate to the purpose of processing, but not longer than 30 days, except in situations expressly provided for by law or in duly justified cases.
Failure to comply with such requirements may attract significant fines (up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year).
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
The National Supervisory Authority for Personal Data Processing (ANSPDCP) seems reluctant to approve any system through which access to work premises or other authentication methods are carried out using employees' biometric data. The ANSPDCP's recent practice suggests that biometric data access systems can be implemented only using the data subject's consent, in which case the data controller must be able to prove such express, free and informed consent.
11 Online issues
Moreover, as per the European Data Protection Board Guidelines on consent, data controllers should bear in mind the following:
- No pre-ticked checkboxes are allowed on cookie consent banners;
- Scrolling and continued browsing do not represent valid consent; and
- Cookie walls (forced consent) does not represent valid consent.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Apart from the general obligations set out in the GDPR, suppliers of cloud computing services must comply with the requirements of Law 362/2018 on ensuring an increased common level of security for computer networks and systems, which incorporates the EU Network and Information Systems Directive (2016/1148) into national law. Law 362/2018 expressly states that the National Cybersecurity Directorate (DNSC) will cooperate with the National Supervisory Authority for Personal Data Processing (ANSPDCP) in any situation where incidents result in prejudice to personal data security.
Based on Law 362/2018, suppliers of cloud computing services, as digital service providers, must observe a set of mandatory requirements imposed by law, including the obligation:
- to implement adequate and proportional technical and organisational measures in order to ensure the minimum security conditions imposed by law for network and information systems; and
- to immediately notify the DNSC of any incident that has a significant impact on the provision of digital services.
In implementing the required measures, suppliers of cloud computing services must consider the technical norms elaborated by the DNSC. Moreover, if specific requirements are met, such suppliers will be subject to a national identification and registration process. Following the applicable registration procedure, the supplier will be subject to monitoring and control by the DNSC. Failure to comply with Law 362/2018 may attract significant administrative fines (up to 5% of the turnover of the economic operator in case of repeated breaches).
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
As the ANSPDCP focuses on electronic commercial communication issues, data controllers and processors should pay additional attention when determining whether such communications are possible.
Law 506/2004 states that unless the data subject has given prior express consent to receive them, it is forbidden to send commercial communications:
- by means of automated calling and communication systems that do not require human intervention;
- by fax or email; or
- by any other method using publicly available electronic communication services.
However, where a data controller directly obtains the email address of a data subject in connection with the sale of a product or service, the controller may use that address for the purpose of commercial communications relating to similar products or services which it markets, provided that the customer is given a clear and express opportunity to object to such use by simple means and free of charge – both when obtaining the email address and on the occasion of each commercial communication, if the data subject does not object initially.
The ways in which companies seek to avail of this exception in order to provide commercial communication have often come under scrutiny by the competent courts. Recent case law clearly underlines that such communications cannot be used for general advertising and marketing purposes, including requests for feedback on social media, downloading of the trader's mobile application or other activities carried out for customer loyalty purposes.
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
Disputes in Romania are resolved by:
- district courts;
- courts of appeal; and
- the Supreme Court.
Depending on the complexity of the dispute, two or three jurisdictional levels can be followed. While a straightforward dispute can begin in the district court and can subsequently be appealed to a tribunal, more complex cases (especially concerning administrative acts issued by public authorities) begin in the courts of appeal and end at the Supreme Court.
With respect to privacy disputes concerning the sanctioning minutes or decisions of the National Supervisory Authority for Personal Data Processing (ANSPDCP), the legal provisions state that such disputes will be settled by the competent tribunal. The tribunal's decision can be only appealed to the competent court of appeal. In all cases where a sanctioning minutes/decision is issued, only the Romanian courts are competent to resolve such issues.
With respect to civil claims (temporary/permanent injunction or damages claims), the competent courts vary depending on:
- the nature of the infringement; and
- the total amount of damages requested.
However, as a general rule, such claims are often referred to district courts and can be subsequently appealed to tribunals and courts of appeal.
12.2 What issues do such disputes typically involve? How are they typically resolved?
Disputes concerning privacy matters (irrespective of whether the dispute refers to the annulment of sanctioning minutes or a decision issued by the ANSPDCP or civil claims) revolve around the evidence presented to the court. In practice, data controllers or processors often cannot produce clear-cut evidence in order to properly sustain their claims, thus making it difficult to obtain a favourable decision.
According to its latest annual report, the ANSPDCP managed a total of 152 cases pending before the courts at various procedural levels in 2021. Of these, 25 new statements of claim were submitted against acts issued by the ANSPDCP.
12.3 Have there been any recent cases of note?
In April 2022, the Cluj Court of Appeal dismissed a request for the annulment of an administrative fine of €100,000 against a bank for failure to comply with Article 32 of the EU General Data Protection Regulation (GDPR).
In order to prove its diligent conduct as regards the training of staff in the field of personal data protection, the bank submitted a series of internal regulations and evidence of training programmes on privacy matters. However, the court pointed out that this did not prove that staff had actually participated in these training programmes or that any means of verifying their understanding of the relevant information had been applied.
Moreover, the court pointed out that the evidence relied on by the banking institution to the effect that it had taken appropriate measures in order to implement the provisions of the GDPR was contradicted by the facts established by the uncontested infringement report, which attested to the intentional unauthorised disclosure by persons under the authority of the banking institution of a significant amount of personal data (some of which was highly sensitive) to a very large number of persons.
The court concluded that the carelessness with which the bank's employees had acted, transferring the personal data of customers between each other and subsequently to third parties via WhatsApp, showed not only a lack of knowledge of working procedures relating to the processing of personal data, but above all (and more seriously) their inability to identify and qualify the data to which they had access as personal data, indicating an acute lack of effective training.
The reasoning of the court confirms the fact that data controllers often have problems in providing sufficient evidence to the courts to substantiate their claims.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The data privacy landscape changed in 2018 due to the immediate need of data controllers and processors to align their activities with the EU General Data Protection Regulation (GDPR). In the early years of this regime, the National Supervisory Authority for Personal Data Processing (ANSPDCP) focused on prevention and information activities with respect to the new legal framework.
Today, four years down the line, the ANSPDCP has not changed its approach. The number of sanctions applied remains steady. As an example, in 2021, the ANSPDCP issued 36 fines (compared to 29 in 2020 and 28 in 2019), alongside 93 warnings (as opposed to 134 warnings in 2019) and 56 privacy corrective measures. The fines imposed exceeded €10,000 in only a few cases. The highest fine imposed to date was €150,000.
In 2021, the complaints submitted to the ANSPDCP involved the following issues, which we expect will remain a priority:
- infringement of the rights of data subjects – in particular:
- the right of access;
- the right to object; and
- the right to have personal data deleted;
- the processing of images by means of installed video surveillance systems by employers at work or by condominium associations;
- the disclosure of personal data online, including on social networks;
- the processing of personal data in breach of the legal bases set out in Article 6 of the GDPR;
- the breach of security and confidentiality measures for data processing activities; and
- the sending of unsolicited commercial messages by telephone or email.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Due to the recent activity of the National Supervisory Authority for Personal Data Processing (ANSPDCP), our recommendation is to analyse compliance with the data protection regime on a day-to-day basis, in order to be able to properly document compliance with the applicable legal provisions. This will prove extremely useful when handling information requests received from the ANSPDCP.
Data controllers should also provide regular employee training on the EU General Data Protection Regulation. As an example, most personal data breaches caused through ransomware attacks are caused by employees' failure to follow the security requirements (eg, updating passwords on a regular basis) or their inability to properly identify phishing fraudulent communications.
SIMION & BACIU team that authored this guide is comprised of Cosmina Maria Simion (Managing Partner), Ana-Maria Coruga (Managing Associate) and Petruș Partene (Associate).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.