COMPARATIVE GUIDE
10 April 2025

Data Privacy Comparative Guide

Baciu Partners

Contributor

Baciu Partners logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Romania, check out our comparative guides section to compare across multiple countries
Romania Privacy
Adela Nuță

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

In Romania, the legal framework for data privacy is primarily based on the EU General Data Protection Regulation (2016/679) (GDPR), which is directly applicable across all EU member states. To complement and facilitate the implementation of the GDPR within the national context, Romania enacted Law 190/2018 on measures implementing the GDPR.

In relation to electronic communications, the EU e-Privacy Directive (2002/58/EC) has been transposed into national law through Law 506/2004 on the processing of personal data in the electronic communications sector.

Furthermore, matters pertaining to e-commerce are governed by Law 365/2002 on electronic commerce, which transposes the E-commerce Directive 2000/31/EC into national law. This statute delineates the legal parameters for information society services and online commercial transactions.

With respect to the processing of personal data in criminal matters, Law 363/2018 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, detection, investigation, prosecution of criminal activities or the execution of criminal convictions, as well as on the free movement of such data, will apply.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Romanian law does not set out any sector-specific data privacy requirements. However, the national legal framework sets out additional requirements that apply to particular cases, such as the following:

  • Commercial communications: The transmission of unsolicited commercial communications via email is prohibited unless the recipient has explicitly consented to receive such communications, as stipulated in Article 6(1) of Law 365/2002 on electronic commerce.
  • Processing of sensitive data: The processing of genetic, biometric or health data for automated decision making or profiling purposes is permitted under specific conditions:
    • with the explicit consent of the data subject; or
    • if the processing is carried out pursuant to express legal provisions, with the establishment of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject (Article 3(1) of Law 190/2018).
  • Consumer contracts involving digital content or services: Where consumers conclude contracts with professionals, the consumer protection provisions outlined in Emergency Ordinance 34/2014 – which transposed EU Directive 2019/2161 – will apply. Thus, any distance contract under which a trader provides the consumer with digital content or a digital service, where the consumer is not obliged to pay a price but is required to provide personal data, will fall under the legal requirements of the emergency ordinance, as long as the personal data is processed on a legal basis other than performance of a contract or compliance of the trader with a legal obligation.
  • Healthcare sector: The processing of health-related data is also regulated under Law 95/2006. The Ministry of Health and its subordinate institutions must process personal data, including patient identifiers and medical diagnoses, through the Electronic Reporting System, in compliance with the GDPR and Law 190/2018. Data must be retained for five years before irreversible anonymisation.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Not applicable.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The national authority responsible for enforcing the data privacy legislation is the National Supervisory Authority for Personal Data Processing (ANSPDCP). Established to protect the fundamental rights and freedoms of individuals – particularly their right to privacy concerning personal data processing and the free movement of such data – the ANSPDCP operates with complete independence and impartiality.

The ANSPDCP can carry out investigations with respect to entities' compliance with privacy matters (including dawn raids at their premises). The ANSPDCP also handles complaints filed by natural persons with respect to privacy matters, especially where such complaints involve the illegal processing of personal data by controllers. Moreover, the ANSPDCP has:

  • corrective powers as set out under Article 58 of the GPDR; and
  • the right to apply administrative fines as per Article 83 of the GDPR.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

The ANSPDCP has not yet recognised any codes of conduct related to data protection. On 24 June 2021, the ANSPDCP issued Decision 20, establishing additional requirements for the accreditation of certification bodies under Article 43 of the GDPR. However, no such certification bodies have been accredited to date.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The data privacy legal framework applies to all entities that process personal data or are directly involved in activities concerning the processing of personal data.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

As per Article 2 of the EU General Data Protection Regulation, the data privacy regime does not apply to personal data that is processed:

  • in the course of an activity which falls outside the scope of EU law;
  • by EU member states in carrying out activities which fall within the scope of Chapter 2, Title V of the Treaty on European Union;
  • by a natural person in the course of a purely personal or household activity; or
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security.

2.3 Does the data privacy regime have extra-territorial application?

The Romanian data privacy regime applies to the processing of personal data in the context of the activities of an establishment of a data controller or a data processor in Romania, regardless of whether the processing itself takes place in Romania. The regime further applies to entities that are not established in Romania where the processing relates to:

  • the offering of goods or services to data subjects in Romania, irrespective of whether payment from the data subjects is required; or
  • the monitoring of data subjects' behaviour insofar as that behaviour takes place within Romania or the European Union.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

There are no specific derogations from the provisions of the EU General Data Protection Regulation in relation to the definition of terms. The key terms are thus defined as follows.

(a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

(d) Data subject

An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

The specific term is ‘special categories of personal data', which refers to:

  • data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and
  • genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, through a statement or a clear affirmative action, signify their agreement to the processing of personal data relating to them.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

The national legislation pays particular attention to the processing of national identification numbers, such as:

  • the unique identification number series of an ID card;
  • a passport number;
  • a driving licence number; or
  • a social health insurance number.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

In Romania, the obligation for data controllers and processors to register with the National Supervisory Authority for Personal Data Processing was repealed on 25 May 2018, coinciding with the enforcement of the General Data Protection Regulation. Prior to this, such a requirement existed under Law 677/2001. Consequently, there are no legal consequences for failure to register, as registration is no longer mandatory.

4.2 What is the process for registration?

Not applicable.

4.3 Is registered information publicly accessible?

Not applicable.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The lawful bases for processing personal data are those set out in the EU General Data Protection Regulation (GDPR).

Thus, personal data can be processed, in accordance with Article 6 of the GDPR, based on:

  • consent;
  • performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • compliance with a legal obligation to which the data controller is subject;
  • the necessity to protect the vital interests of the data subject or of another natural person;
  • the necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  • the legitimate interests pursued by the data controller or by a third party, where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – in particular, where the data subject is a child.

With respect to the processing of sensitive personal data, the same rules provided in the GDPR apply: the processing of sensitive personal data is prohibited, except where the exemptions set out in Article 9(2) of the GDPR apply.

With respect to personal data relating to criminal convictions and offences, as provided in Article 10 of the GDPR, such processing must be carried out only:

  • under the control of an official authority; or
  • where the processing is authorised by EU or national law providing for appropriate safeguards for the rights and freedoms of data subjects.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Personal data in Romania must be processed in compliance with the principles outlined in Article 5 of the GDPR, as follows:

  • lawfulness, fairness and transparency (ie, personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject);
  • purpose limitation (personal data must be collected for specified, explicit and legitimate purposes, and must not be further processed in a manner that is incompatible with those purposes);
  • data minimisation (processing must be adequate, relevant and limited to what is necessary);
  • accuracy (processing must be accurate and data must be kept up to date);
  • storage limitation (personal data must be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed);
  • integrity and confidentiality (personal data must be processed in a manner that ensures appropriate security of the personal data); and
  • accountability (the data controller is responsible for and must be able to demonstrate compliance with the data processing principles).

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

Following the practice of the National Supervisory Authority for Personal Data Processing (ANSPDCP), data controllers and processors should pay additional attention to processing based on consent, especially when sending commercial communications to data subjects. The ANSPDCP has issued several fines in this respect, arguing that either:

  • the data controller or processor failed to prove that the data subject consented to such processing; or
  • the data controller or processor did not correctly address a data subject's request for consent withdrawal.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

In Romania, personal data can be transferred to third parties only if such transfer can be justified on a lawful basis, irrespective of whether the transfer is carried out between data controllers, to joint controllers or from controllers to processors or vice versa.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Additional requirements apply to data transfers outside the European Union or the European Economic Area, except for those countries or territories for which the European Commission has issued an adequacy decision (though which the European Commission states that the legal framework can ensure an adequate level of protection), such as Andorra, Argentina, Canada (only for commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom (under the EU General Data Protection Regulation and the Law Enforcement Directive) and Uruguay.

Notably, the United States has been added to this list for commercial organisations participating in the EU-US Data Privacy Framework. This framework replaces the previous Privacy Shield arrangement and aims to ensure that participating US companies provide adequate data protection standards.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector, which are governed by Article 36 of the EU Law Enforcement Directive (2016/680).

For other territories, data transfers can be carried out only if:

  • the data controller or processor that is party to the agreement has provided appropriate safeguards; and
  • enforceable data subject rights and effective legal remedies for data subjects are available.

These requirements can be satisfied through:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules;
  • standard contractual clauses adopted by the European Commission;
  • standard contractual clauses adopted by a supervisory authority and approved by the European Commission;
  • an approved code of conduct together with binding and enforceable commitments of the data controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
  • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Additional attention should be paid to data transfers to the United States following the ruling in Schrems II (C311/18), through which the Privacy Shield was invalidated, requiring organisations to:

  • reassess their legal basis for transferring personal data to the United States; and
  • implement additional safeguards.

However, on 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). Under this framework:

  • transfers to the United States are permitted without additional safeguards if the US recipient is certified under the DPF; and
  • organisations must verify that the US data importer is listed in the DPF registry before relying on this mechanism.

For US entities not covered by the DPF, organisations must:

  • use standard contractual clauses or binding corporate rules; and
  • conduct a transfer impact assessment to determine whether additional safeguards – such as encryption, pseudonymisation or strict access controls – are required to maintain General Data Protection Regulation compliance.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Data subjects have the right:

  • to be informed about the processing of their personal data;
  • to access their personal data;
  • to rectify their personal data;
  • to the erasure of their personal data (right to be forgotten);
  • to restriction of processing;
  • to data portability;
  • to object to the processing;
  • not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject; and
  • to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

Obviously, such rights are not absolute. Taking into consideration the particularities of each case, specific limitations may apply. For example, a data subject cannot exercise the right to erasure if such action may affect the controller in exercising or defending legal claims.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

A data subject can exercise its rights under the EU General Data Protection Regulation (GDPR) by submitting a request in this regard directly to the data controller. The data controller must:

  • facilitate the exercise of the data subject's rights under the GDPR; and
  • provide information on the action taken in relation to the data subject's request without undue delay and in any event within one month of receipt of the request (which may be extended by a further two months where necessary, taking into account the complexity and number of requests).

If the data controller does not respond to the request submitted by the data subject or takes no action in this respect, the data subject can submit a complaint against the data controller to the ANSPDCP and/or seek a judicial remedy from the competent courts.

7.3 What remedies are available to data subjects in case of breach of their rights?

If a data subject considers that their rights have been infringed by a data controller, they are entitled to submit a formal complaint to the National Supervisory Authority for Personal Data Processing (ANSPDCP). Furthermore, they have the right to pursue an effective judicial remedy against any legally binding decision issued by the ANSPDCP that directly concerns them.

Moreover, where the data subject considers that their rights under the GDPR have been infringed as a result of the processing of personal data in non-compliance with the GDPR, the regulation provides for the right to an effective judicial remedy, including the right to obtain compensation from the data controller or processor for the damage suffered. However, such damages can only be established by a court of law.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Apart from the legal provisions regulating the appointment of a data protection officer (DPO) reflected in the EU General Data Protection Regulation (GDPR) (Article 37), the appointment of a DPO is mandatory where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the data controller or processor consist of processing operations which, by virtue of their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the data controller or processor consist of processing on a large scale of special categories of sensitive data or personal data relating to criminal convictions and offences.

Law 190/2018 sets out an additional requirement in this respect: a DPO must be appointed in all cases where a national identification number is processed based on the legitimate interest of the data controller.

Failure to appoint a DPO may attract significant fines (of up to €10 million or up to 2% of the total worldwide annual turnover in the preceding financial year).

Furthermore, the National Supervisory Authority for Personal Data Processing (ANSPDCP) has issued a best practice recommendation encouraging all data controllers, regardless of their legal obligations, to appoint a DPO as a measure of enhanced compliance and accountability.

8.2 What qualifications or other criteria must the data protection officer meet?

The DPO should be appointed based on his or her professional qualities and, in particular, expert knowledge of data protection law (Article 37(5) of the GDPR). Although the specific qualities that a DPO are not mentioned in the GDPR, the Guidelines on Data Protection Officers (issued by the World Forum for Harmonization of Vehicle Regulations and endorsed by the European Data Protection Board) state that the DPO must have:

  • expertise in national and European data protection laws and practices; and
  • an in-depth understanding of the GDPR.

Knowledge of the business sector and the organisation of the data controller is also useful, as the DPO should have a good understanding of:

  • the processing operations carried out; and
  • the information systems and data security and data protection needs of the data controller.

With respect to the ability to fulfil their tasks, the Guidelines on Data Protection Officers state that this requirement should be interpreted as referring not only to the DPO's personal qualities and knowledge, but also to their position within the organisation.

The DPO must not be in a position that is incompatible with this function (eg, chief executive officer, chief operating officer, chief financial officer, chief marketing officer, head of the marketing department, head of HR or head of IT).

To function effectively, the DPO must be provided with adequate resources. These include:

  • sufficient time and staff support to handle DPO tasks;
  • budgets for training and tools; and
  • access to all relevant personal data and processing operations.

Senior management should:

  • actively back the DPO's function; and
  • ensure that they have the authority to investigate and the means to maintain their expertise (eg, continuous training).

In summary, the organisation should set up the DPO for success, with tangible support and empowerment.

8.3 What are the key responsibilities of the data protection officer?

The key responsibilities of a DPO are outlined in Article 39 of the GDPR as follows:

  • to inform and advise the data controller or processor and employees who carry out data processing of their obligations pursuant to the GDPR and relevant data protection laws;
  • to monitor compliance with the GDPR and other relevant data protection provisions, and with the policies of the data controller or processor in relation to the protection of personal data – including the assignment of responsibilities, awareness raising and training of staff involved in processing operations – and to conduct related audits;
  • to advise where requested on data protection impact assessments and monitor the company's performance pursuant to the relevant legal provisions;
  • to cooperate with the supervisory authority; and
  • to act as a contact point for the supervisory authority on issues relating to processing, including the prior consultation referred in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Under Romanian law, the role of the DPO can be outsourced to either an individual or an organisation (eg, a law firm). In such cases, each person involved in the DPO service must be:

  • free of conflicts of interest; and
  • protected from any dismissal or penalty related to their DPO activities.

However, it is of the utmost importance that in such cases, the conflict of interest rule is respected in the same way as for an internally appointed DPO.

When deciding to outsource the role of the DPO, the data controller must take several factors into consideration. For example, in an organisation where data processing activities present a higher degree of complexity, data controllers must ensure that the external DPO:

  • has significant knowledge of the business sector and the organisation of the controller; and
  • can address on a day-to-day basis the privacy matters which the organisation faces.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

As per Article 5(2) of the GDPR, the data controller is responsible for, and must be able to demonstrate compliance with, the data protection principles. Thus, any aspect that assists with the analysis of particular situations should be documented, at least from a privacy point of view.

Thus, the data controller should:

  • maintain adequate records of processing activities as required under Article 30 of the GDPR (this applies to both controllers and processors, except for organisations with fewer than 250 employees, unless processing is high risk or frequent, or involves special categories of data);
  • implement privacy policies, data protection impact assessments (DPIAs) and legitimate interest assessments (LIAs) where applicable. DPIAs are mandatory under Article 35 of the GDPR for processing operations that are likely to result in a high risk to the rights and freedoms of data subjects;
  • keep records of data subject rights requests (eg, access, erasure and rectification) and ensure their timely processing; and
  • maintain documentation of data breaches, including the facts, effects and remedial actions taken (Article 33(5) of the GDPR).

In addition, the European Data Protection Board emphasises the importance of proactive compliance, meaning that organisations should not only reactively document compliance efforts but also implement ongoing monitoring and risk assessments.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

The ANSPDCP often carries out its investigations though requests for information sent to the data controller or processor. Thus, documenting the analysis carried out with respect to data processing activities is the most reliable way to demonstrate compliance with the privacy requirements.

Data controllers and processors should also seek to implement a regular training programme for employees. It is of the utmost importance that such training programmes include practical ways to test employees' knowledge of the GDPR. This enables the data controller or processor to prove that its employees have the necessary knowledge of the data privacy rules and internal procedures in case of an investigation conducted by the ANSPDCP.

As data protection regulations and enforcement practices evolve, organisations must regularly update their privacy policies, training programmes and compliance frameworks.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

All data controllers and processors must implement adequate security measures in order to protect the personal data processed in their normal course of business. As per Article 32 of the EU General Data Protection Regulation (GDPR), data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Such security measures can vary depending on the activity carried out by the data controller or processor. Where appropriate, such security measures may include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

As per Article 33 of the GDPR, as a rule, the data controller or processor must notify a data breach to the National Supervisory Authority for Personal Data Processing (ANSPDCP) without undue delay and, where feasible, no later than 72 hours after becoming aware of it. If the ANSPDCP is not notified within 72 hours, such notification must be accompanied by the reasons for the delay. This obligation to notify the regulator will not apply where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The data breach can be notified through the dedicated data breach section on the ANSPDCP's website (www.dataprotection.ro). The notification should contain at least the following information:

  • the nature of the personal data breach, including, where possible:
    • the categories and approximate number of data subjects concerned; and
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

It is also important to provide the ANSPDCP with information about the context in which the data breach occurred (eg, due to a ransomware attack, human error or other similar event).

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Data breaches must be notified to the affected data subjects if the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication to the data subject must:

  • be made with undue delay;
  • describe in clear and plain language the nature of the personal data breach; and
  • contain at least the information provided to the ANSPDCP when notifying it of a data breach (see question 9.2).

Nonetheless, based on Article 34(4) of the GDPR, if the ANSPDCP considers that a personal data breach should be notified to the data subjects, the data controller or processor can be instructed to proceed as such.

The data controller or processor will be exempt from the obligation to notify the data breach to the affected data subjects only if:

  • the data controller has implemented appropriate technical and organisational protection measures, which have been applied to the personal data affected by the data breach – in particular, measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
  • notification would involve disproportionate effort, in which case the data controller can instead issue a public communication or similar measure whereby data subjects are informed in an equally effective manner.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

The European Data Protection Board Guidelines on Personal Data Breach Notification provide clear recommendations for minimising the impact of breaches and ensuring compliance. These include:

  • implementing encryption and pseudonymisation to render data unintelligible to unauthorised parties;
  • establishing robust access controls to prevent unauthorised access; and
  • conducting regular vulnerability assessments and penetration tests to identify and mitigate security weaknesses before incidents occur.

Additionally, organisations should:

  • document all breaches in an internal register, even if they do not meet the threshold for notification; and
  • ensure that incident response plans are regularly tested through simulations and training.

Given that the ANSPDCP frequently sanctions breaches resulting from ransomware attacks and misdirected emails, organisations in Romania should place particular emphasis on employee training and awareness programmes to prevent human errors and ensure that staff can recognise and respond to security threats. Furthermore, as repeated breaches have led to increased administrative liability, companies should proactively review and enhance their security policies, risk assessments and technical safeguards to avoid regulatory scrutiny and mitigate financial and reputational risks.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

Apart from the general requirements provided in the EU General Data Protection Regulation and the information reflected in question 10.2, there are no particular restrictions with respect to the processing of the personal data of employees.

However, the National Supervisory Authority for Personal Data Processing (ANSPDCP) aligns with the recommendations of the European Data Protection Board, emphasising the need:

  • to have clear justifications for processing; and
  • to ensure that employees' rights and freedoms are adequately protected in workplace data processing activities.

Given the heightened risk of power imbalances in employer-employee relationships, data processing based solely on employee consent should be used with caution. The ANSPDCP has clarified that employee consent may not be considered freely given due to the unequal bargaining position between the employer and the employee. Instead, employers should prioritise contractual necessity, legal obligations or legitimate interests as more appropriate legal bases for processing employee data.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

Law 190/2018 sets out specific rules on the processing of personal data in employment relationships. As per Article 5 of Law 190/2018, where monitoring systems by means of electronic communications and/or video surveillance are used in the workplace, the processing of employees' personal data for the purpose of pursuing the legitimate interests of the employer is permitted only if:

  • the legitimate interests of the employer are duly justified and override the interests or rights and freedoms of the data subjects;
  • the employer has provided the employees with full and explicit prior information;
  • the employer has consulted the trade union or, where appropriate, the employees' representatives before introducing the monitoring systems;
  • other less intrusive forms and ways of achieving the employer's intended purpose have not previously proved effective; and
  • the duration for which the personal data is stored is proportionate to the purpose of processing, but not longer than 30 days, except in situations expressly provided for by law or in duly justified cases.

Failure to comply with such requirements may attract significant fines (up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year).

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The National Supervisory Authority for Personal Data Processing (ANSPDCP) seems reluctant to approve any system through which access to work premises or other authentication methods are carried out using employees' biometric data. The ANSPDCP's recent practice suggests that biometric data access systems can be implemented only using the data subject's consent, in which case the data controller must be able to prove such express, free and informed consent.

In one notable case, the ANSPDCP sanctioned an organisation for processing employees' biometric data without adequate justification. The company:

  • utilised fingerprint-based access systems and installed video surveillance in areas such as offices and changing rooms without demonstrating a legitimate interest that outweighed the employees' privacy rights;
  • failed to explore less intrusive alternatives; and
  • did not consult with employee representatives prior to implementing these measures.

Consequently, the ANSPDCP imposed fines for excessive data processing and insufficient safeguards.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The Romanian data privacy regime contains no specific dedicated provisions on cookies. Thus, the use of cookies must comply with:

  • the EU General Data Protection Regulation (GDPR) requirements;
  • the case law of the Court of Justice of the European Union (CJEU) – specifically the decision in Planet49 (C-673/17), in which the CJEU underlined that non-essential cookies must be placed based on expressly and freely given consent;
  • the ePrivacy Directive; and
  • the European Data Protection Board (EDPB) guidance on cookie consent.

Moreover, as per the European Data Protection Board Guidelines on consent, data controllers should bear in mind the following:

  • No pre-ticked checkboxes are allowed on cookie consent banners;
  • Scrolling and continued browsing do not represent valid consent; and
  • Cookie walls (forced consent) does not represent valid consent.

Additionally, under Article 5(3) of the ePrivacy Directive, any non-essential cookies (eg, for analytics or advertising) can be placed only if the user has given prior consent after being provided with clear and comprehensive information. In Romania, this directive is implemented by Law 506/2004, which mirrors the EU rule – users must:

  • "expressly consent" before cookies are stored; and
  • be informed about the cookies' purpose in a "clear and user-friendly" way.

Law 506/2004 even notes that consent may be given via browser settings, but in practice default browser settings are not sufficient to prove the ‘clear affirmative' consent required. If cookies involve processing personal data (as tracking cookies usually do), the GDPR also applies in parallel – meaning the consent must satisfy the GDPR's definition and all GDPR principles (eg, transparency, purpose limitation, data security). Consent required under the ePrivacy Directive for storing or accessing cookies should have the same meaning as the data subject's consent as defined in the GDPR, according to the CJEU. In other words, cookie consent must be:

  • freely given, specific, informed and unambiguous; and
  • given by a clear affirmative action by the user.

This aligns the e-privacy consent standard with Article 7 and Recital 32 of the GDPR; therefore, a pre-ticked box, silence or inactivity does not constitute valid consent. Controllers must also enable users to withdraw consent as easily as it was given, per GDPR requirements (Article 7(3)).

The European Data Protection Board has issued guidelines clarifying how the GDPR's consent requirements apply to cookies; and these aspects are also considered by the National Supervisory Authority for Personal Data Processing (ANSPDCP) in its activities.

Key points from the EDPB guidelines include the following:

  • No ‘cookie walls': Access to a website or service cannot be conditional on accepting cookies.
  • Affirmative user action: Consent must be given through a clear, affirmative action.
  • Granular consent and no bundling: Users should have separate consent options for different types of cookies.
  • Withdrawal and ease of refusal: Refusing cookies should be as easy as accepting them, without undue consequences.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Apart from the general obligations set out in the GDPR, suppliers of cloud computing services must comply with the requirements of Law 362/2018 on ensuring an increased common level of security for computer networks and systems, which incorporates the EU Network and Information Systems Directive (2016/1148) into national law. Law 362/2018 expressly states that the National Cybersecurity Directorate (DNSC) will cooperate with the ANSPDCP in any situation where incidents result in prejudice to personal data security.

Based on Law 362/2018, suppliers of cloud computing services, as digital service providers, must observe a set of mandatory requirements imposed by law, including the obligation:

  • to implement adequate and proportional technical and organisational measures in order to ensure the minimum security conditions imposed by law for network and information systems; and
  • to immediately notify the DNSC of any incident that has a significant impact on the provision of digital services.

In implementing the required measures, suppliers of cloud computing services must consider the technical norms elaborated by the DNSC. Moreover, if specific requirements are met, such suppliers will be subject to a national identification and registration process. Following the applicable registration procedure, the supplier will be subject to monitoring and control by the DNSC. Failure to comply with Law 362/2018 may attract significant administrative fines (up to 5% of the turnover of the economic operator in case of repeated breaches).

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

As the ANSPDCP focuses on electronic commercial communication issues, data controllers and processors should pay additional attention when determining whether such communications are possible.

Law 506/2004 states that unless the data subject has given prior express consent to receive them, it is forbidden to send commercial communications:

  • by means of automated calling and communication systems that do not require human intervention;
  • by fax or email; or
  • by any other method using publicly available electronic communication services.

However, where a data controller directly obtains the email address of a data subject in connection with the sale of a product or service, the controller may use that address for the purpose of commercial communications relating to similar products or services which it markets, provided that the customer is given a clear and express opportunity to object to such use by simple means and free of charge – both when obtaining the email address and on the occasion of each commercial communication, if the data subject does not object initially.

The ways in which companies seek to avail of this exception in order to provide commercial communication have often come under scrutiny by the competent courts. Recent case law clearly underlines that such communications cannot be used for general advertising and marketing purposes, including requests for feedback on social media, downloading of the trader's mobile application or other activities carried out for customer loyalty purposes.

In addition to ensuring compliance with Law 506/2004 and the GDPR, businesses engaging in online marketing must also consider the principles of transparency and fairness and the rights of data subjects when conducting electronic commercial communications. The consent for marketing communications must be freely given, specific, informed and unambiguous, meaning that pre-ticked boxes or bundled consent for multiple purposes is not valid. Moreover, the soft opt-in exception (permitting communications about similar products/services) should be narrowly interpreted and must not be extended to broader marketing campaigns, cross-promotional initiatives or affiliate marketing without additional consent.

The ANSPDCP has actively sanctioned companies that fail to offer a clear and easily accessible opt-out mechanism in each marketing message, reinforcing the requirement that recipients must be able to withdraw consent as easily as it was given. Additionally, the authority has scrutinised profiling and targeted advertising practices, particularly when businesses rely on legitimate interest instead of consent for behavioural advertising. Organisations should ensure that any profiling for direct marketing purposes:

  • is explicitly disclosed;
  • is conducted with a valid legal basis; and
  • does not result in automated decision-making with significant effects, as regulated under Article 22 of the GDPR.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Disputes in Romania are resolved by:

  • district courts;
  • tribunals;
  • courts of appeal; and
  • the Supreme Court.

Depending on the complexity of the dispute, two or three jurisdictional levels can be followed. While a straightforward dispute can begin in the district court and can subsequently be appealed to a tribunal, more complex cases (especially concerning administrative acts issued by public authorities) begin in the courts of appeal and end at the Supreme Court.

With respect to privacy disputes concerning the sanctioning minutes or decisions of the National Supervisory Authority for Personal Data Processing (ANSPDCP), the legal provisions state that such disputes will be settled by the competent tribunal. The tribunal's decision can be only appealed to the competent court of appeal. In all cases where a sanctioning minutes/decision is issued, only the Romanian courts are competent to resolve such issues.

With respect to civil claims (temporary/permanent injunction or damages claims), the competent courts vary depending on:

  • the nature of the infringement; and
  • the total amount of damages requested.

However, as a general rule, such claims are often referred to district courts and can be subsequently appealed to tribunals and courts of appeal.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Disputes concerning privacy matters (irrespective of whether the dispute refers to the annulment of sanctioning minutes or a decision issued by the ANSPDCP or civil claims) revolve around the evidence presented to the court. In practice, data controllers or processors often cannot produce clear-cut evidence in order to properly sustain their claims, thus making it difficult to obtain a favourable decision.

Courts generally assess whether:

  • the ANSPDCP's findings were properly substantiated;
  • the principles of legality, proportionality and due process were respected; and
  • the contested data processing activities complied with the General Data Protection Regulation (GDPR) requirements.

The latest reports reveal the following data on cases:

  • In 2023, the ANSPDCP handled 155 cases pending before the courts at various procedural levels. During the year, 47 new lawsuits were filed, primarily challenging the authority's decisions under:
    • the GDPR; and
    • the Administrative Litigation Law (554/2004).
  • Notably, 28 of these cases contested sanctioning reports issued by the ANSPDCP.
  • In 2024, the number of new cases increased to 55, with claims based on:
    • the GDPR;
    • Law 190/2018;
    • Law 506/2004 (the ePrivacy Law); and
    • the Administrative Litigation Law.

A significant portion of litigation concerns the contestation of fines imposed by the ANSPDCP. Between 2019 and 2023, the ANSPDCP issued 235 fines under the GDPR, of which only 63 were challenged in court. Among these cases, 28 have been finalised and in 23 instances, the courts upheld the ANSPDCP's decision, confirming the legality of the sanctions imposed.

These statistics highlight a strong judicial precedent in favour of the ANSPDCP, suggesting that data controllers facing regulatory sanctions must ensure comprehensive compliance measures, robust documentation and well-founded legal arguments if they intend to challenge enforcement actions successfully.

12.3 Have there been any recent cases of note?

One notable case solved in 2024 involved a final court ruling on a personal data security breach that resulted in the unauthorised disclosure of customer transaction records on a public website. Following a complaint, the ANSPDCP conducted an investigation and found that the data controller had violated Articles 32(1) and (2) of the GDPR by failing to implement adequate technical and organisational measures to ensure an appropriate level of security. This failure led to unauthorised access to a significant volume of personal data, including:

  • names;
  • contact details;
  • order numbers;
  • delivery addresses;
  • order values; and
  • details regarding minor customers.

Additionally, the ANSPDCP found that the controller had violated Article 33(1) GDPR, as it failed to notify the ANSPDCP of the data breach without undue delay, despite being aware of the incident and its impact on customer data confidentiality.

As a result, the ANSPDCP imposed:

  • a fine of RON 24,272.50 for non-compliance with Article 32 of the GDPR;
  • a warning for failure to report the breach under Article 33(1) of the GDPR; and
  • corrective measures, requiring the company to review and update its security measures to prevent similar unauthorised disclosures in the future.

The data controller contested the sanction, arguing that the fine was disproportionate and that the ANSPDCP had not properly assessed mitigating factors. However, the Court of Appeal upheld the ANSPDCP's decision, ruling as follows:

  • The fine imposed complied with Article 21 of Government Ordinance 2/2001, being proportionate to the degree of social harm caused by the breach. The court highlighted that while a maximum fine of €10 million or 2% of the company's global turnover could have been imposed, the ANSPDCP had opted for a minimum fine, considering that the company had not provided evidence of its turnover.
  • The decision to impose both a fine and a warning was legally justified, as a mere warning would not have served as a sufficient deterrent and could encourage similar violations in the future.
  • The company had failed to demonstrate that it had implemented effective security measures to prevent unauthorised access, which contributed to the high-risk impact of the breach.

Ultimately, the court dismissed the complaint as unfounded, confirming that the sanctions and corrective measures imposed by the ANSPDCP were appropriate and necessary to:

  • ensure compliance with the GDPR; and
  • prevent future incidents of personal data breaches.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Romania's data privacy framework remains heavily influenced by the EU General Data Protection Regulation (GDPR) and national implementing laws, with the National Supervisory Authority for Personal Data Processing (ANSPDCP) intensifying its enforcement efforts. Over the past year, there has been a significant increase in investigations and fines, reflecting both:

  • heightened public awareness of data rights; and
  • the regulator's stricter approach to non-compliance.

The key enforcement priorities continue to centre on:

  • unauthorised data disclosures;
  • improper use of video surveillance;
  • failure to fulfil data subjects' rights; and
  • cybersecurity vulnerabilities leading to data breaches.

Additionally, unlawful direct marketing practices remain under scrutiny, with businesses facing fines for failing to respect:

  • opt-out requests; and
  • consent withdrawal mechanisms.

Looking ahead, emerging EU legislation will require Romanian organisations to adapt to new compliance standards:

  • The upcoming EU Artificial Intelligence Act will impose additional obligations on AI-driven data processing; and
  • The long-anticipated updated ePrivacy Regulation could introduce stricter rules on:
    • electronic communications privacy;
    • cookies; and
    • targeted advertising.

Meanwhile, developments in relation to the Digital Services Act and the Digital Markets Act will further influence the handling of personal data by online platforms operating in Romania. National legislative changes are expected to remain incremental, primarily aligning with broader EU digital policies rather than introducing significant domestic reforms.

The increasing adoption of AI, Big Data, and Internet of Things technologies presents further challenges for data privacy compliance, as these innovations often involve complex, large-scale personal data processing that can be difficult to reconcile with the GDPR's principles of:

  • transparency;
  • data minimisation; and
  • purpose limitation.

Companies leveraging AI for automated decision-making, profiling or customer analytics will need to:

  • implement privacy-by-design strategies;
  • conduct data protection impact assessments; and
  • ensure mechanisms for individuals to exercise their rights, particularly regarding:
    • automated processing; and
    • algorithmic fairness.

The ANSPDCP is expected to issue further guidance on these matters, following the European Data Protection Board's recent focus on AI governance and ethical data use.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Given the increased enforcement activity of the National Supervisory Authority for Personal Data Processing (ANSPDCP), organisations must adopt a proactive approach to compliance, ensuring that data protection obligations are continuously monitored rather than addressed only in response to regulatory actions. Regular internal audits and maintaining comprehensive records of processing activities are essential to demonstrate accountability, particularly when responding to ANSPDCP inquiries or investigations.

In addition to regular employee training on General Data Protection Regulation (GDPR) compliance, organisations should implement privacy-by-design and by-default principles at every stage of their operations. This includes:

  • conducting data protection impact assessments for high-risk processing activities; and
  • embedding robust access controls, encryption and anonymisation techniques to mitigate security risks.

Given that many personal data breaches stem from cybersecurity weaknesses, businesses must adopt strong security frameworks, including:

  • multi-factor authentication;
  • network segmentation; and
  • continuous vulnerability assessments.

A key sticking point remains the effective management of data subject rights requests. Organisations must ensure that mechanisms for handling access, rectification, deletion and objection requests:

  • are clear and efficient; and
  • do not impose unjustified barriers.

The ANSPDCP has previously sanctioned businesses that failed to respond in a timely and transparent manner, making compliance with Articles 12–15 of the GDPR a focus area.

Furthermore, direct marketing practices continue to attract regulatory scrutiny, particularly regarding consent management and opt-out mechanisms under Law 506/2004. Businesses engaging in digital marketing must ensure that:

  • consent for electronic communications is freely given, specific, informed and unambiguous; and
  • opt-out requests are respected immediately.

Failure to do so may result in significant fines, as the ANSPDCP has repeatedly emphasised the importance of respecting e-privacy rules in marketing communications.

Finally, businesses that process personal data across borders must remain vigilant about international data transfers, ensuring compliance with the GDPR's requirements, particularly following the adoption of the EU–US Data Privacy Framework. Organisations that rely on standard contractual clauses should:

  • regularly assess their transfer impact assessments; and
  • implement supplementary security measures where necessary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Adela Nuță
Adela Nuță
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More