Data Protection Laws and Regulations in Romania

What are the main data protection-related pieces of legislation and other regulations in Romania?

The key regulations in the field of data protection in Romania are (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation/ GDPR) and (b) Law No. 190/2018 on measures to implement GDPR (Law 190/2018). Law 190/2018 mostly addresses the so-called “open matters” set forth by GDPR (i.e., the matters upon which the member states have been given the freedom to regulate at their sole discretion).

Additionally, there are a series of regulations addressing the rules for processing personal data in various fields, such as:

• Law No. 363 of 28 December 2018 on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of preventing, detecting, investigating, prosecuting, and combating criminal offenses or the execution of criminal penalties, educational and security measures, and on the free movement of such data (Law 363/2018);
• Law No. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector (Law 506/2004);
• Law No. 365/2002 on electronic commerce (Law 365/2002);
• Law No. 363/2022 regarding the establishment of the organizational framework for the purpose of national operationalization of the centralized system for determining the member states that hold information on the convictions of third-country nationals and stateless persons, as well as for the amendment and completion of Law no. 290/2004 regarding the criminal record (Law 363/2022).

What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?

Law 190/2018 (Article 2)

• national identification number – the number by which a natural person is identified in certain record systems and which has general applicability, such as personal numerical code, series, and number of the identity document, passport number, driver's license number, insurance number social health;
• remedial plan – appendix to the report entailing the sanctioning of the contravention, pursuant to the conditions provided for in art. 11, by which the National Supervisory Authority for the Processing of Personal Data, hereinafter referred to as the National Supervisory Authority, establishes the remedial measures and the remedial deadline;
• remedial measure – solution ordered by the National Supervisory Authority in the remedial plan in order for the authority/public body to fulfill the obligations provided for by law;
• remediation period – the period of time of a maximum of 90 days from the date of communication of the minutes of detection and sanctioning of the contravention, during which the authority/public body has the opportunity to remedy the irregularities identified and comply with its legal obligations;
• performance of a task that serves a public interest – includes those activities of political parties or organizations of citizens pertaining to national minorities, of non-governmental organizations, which serve to achieve the objectives provided by constitutional law or public international law or the functioning of the democratic system, including encouraging the participation of citizens in the decision-making process and the preparation of public policies, respectively the promotion of the principles and values ​​of democracy.

Law 363/2018 (Article 4)

• restriction of processing – marking stored personal data, with the aim of limiting their future processing;
• profiling – any form of automatic processing of personal data that consists in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects of workplace performance, economic status, health, personal preferences, interests, correctness, behavior, location or movements of the respective natural person;
• data record system – any structured set of personal data accessible according to specific criteria, either centralized, decentralized, or distributed according to functional or geographical criteria;
• genetic data – personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information regarding the physiology or health of that natural person, as it results in particular from an analysis of a sample of biological material collected from that individual;
• biometric data – personal data resulting from specific processing techniques, related to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
• health data – personal data related to the physical or mental health of a natural person, including the provision of medical assistance services, which reveal information about their state of health;

Law 506/2004 (Article 2)

• user – any natural person who benefits from an electronic communications service intended for the public, without necessarily being a subscriber to this service;
• traffic data – any data processed for the purpose of transmitting a communication through an electronic communications network or for the purpose of invoicing the applicable amount for the operation;
• equipment identification data – technical data of the providers of communications services intended for the public and of the providers of public electronic communications networks, which allow the identification of the location of their communications equipment, processed for the purpose of transmitting a communication through an electronic communications network or for the purpose of invoicing the applicable amount for the operation;
• location data – any data processed in an electronic communications network or through an electronic communications service, which indicates the geographical position of the terminal equipment of the user of an electronic communications service intended for the public;
• communication – any information exchanged or transmitted between a determined number of participants by means of an electronic communications service intended for the public; this does not include information transmitted to the public through an electronic communications network as part of an audiovisual program service, to the extent that no link can be established between the information in question and the identifiable subscriber or user who receives it;
• value-added service – any service that requires the processing of traffic data or location data, for purposes other than the transmission of communication or the invoicing of the applicable amount for the operation;
• security breach of personal data – breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services intended for the public.

Law 365/2002 (Article 1)

• information society service – any service that is performed using electronic means and has the following characteristics:

1. a) is carried out in consideration of a patrimonial benefit, procured to the offeror in the usual way by the recipient;
2. b) it is not necessary for the offeror and the recipient to be physically present simultaneously in the same place;
3. c) is carried out by transmitting the information at the recipient's individual request;

• domain – an area of ​​an IT system, owned as such by a natural or legal person or by a group of natural or legal persons for the purpose of processing, storing, or transferring data;
• commercial communication – any form of communication intended to promote, directly or indirectly, the products, services, image, name or designation, firm or emblem of a trader or member of a regulated profession; the following do not in themselves constitute commercial communications: information allowing direct access to the activity of a natural or legal person, in particular by domain name or an e-mail address, communications related to the products, services, image, name or brands of a natural person or legal, carried out by a third party independent of the person in question, especially when they are carried out free of charge;
• identification data – any information that can allow or facilitate the performance of the types of operations, such as an identification code, name or designation, domicile or headquarters, telephone number, fax number, e-mail address, registration number, or other similar means of identification, the tax registration code, the personal numerical code and the like.

Which entities fall under the data privacy regulations in Romania?

Local data privacy regulations apply to:

1. individuals or legal entities (including public authorities) processing personal data as part of their activities or the activities of one of its branches established in Romania;
2. individuals or legal entities established outside the EU offering goods/services in Romania or monitoring the behavior of individuals in Romania.

Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?

Yes, there are a series of specific sector regulations addressing special rules for processing personal data in various fields.

Hence, Law 363/2018 regulates the processing of personal data in the field of criminal law and for national security purposes.

Law 365/2022 provides for a series of rules regarding the protection of private life in relation to commercial communications and the provision of information society services, while Law 5066/2004 aims to address the special rules regarding the protection of personal data in the field of electronic communications.

What rights do data subjects have under the data protection regulations in Romania?

The data subjects benefit from the rights regulated under GDPR, namely: (a) the right of access; (b) the right to rectification; (c) the right to erasure (“the right to be forgotten”); (d) the right to restriction of processing; (e) the right to data portability; (f) the right to object; (g) the right to lodge a complaint with the supervisory authority; (h) the right to an effective judicial remedy against the supervisory authority and/or the data controller or data processor.

What is the territorial application of the data privacy regime in your jurisdiction?

Romanian data protection regulations apply to the processing of personal data:

(a) in the context of the activities of an establishment of a data controller or a data processor in Romania, regardless of whether the processing itself takes place in Romania.

(b) pertaining to data subjects who are in Romania made by a controller or processor not established in Romania, where the processing activities are related to the offering of goods or services to such data subjects in Romania (irrespective of whether a payment of the data subject is required) or the monitoring of their behavior (as far as their behavior takes place within the territory of Romania).

What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?

Generally, organizations wishing to engage in data processing in Romania should comply with the following data processing principles:

1. lawfulness and fairness: organizations should ensure that each processing has an adequate legal basis and does not lead to unfair consequences for the concerned individuals;
2. transparency: organizations should ensure that the data subjects are made aware of the key aspects related to the contemplated processing unless such information is impossible or it would involve disproportionate efforts;
3. purpose limitation: organizations should ensure that they are processing the personal data only for specified and compatible purposes;
4. data minimization: organizations should ensure that when processing personal data they choose the less intrusive ways, to avoid excessive processing;
5. data accuracy: organizations should ensure that reasonable steps are taken to ensure that personal data is accurate and updated (where the case);
6. storage limitation: organizations should ensure that personal data is kept in a form that allows the identification of the concerned persons for a period that does not exceed the period necessary to fulfill the purposes for which the respective data are processed;
7. integrity and confidentiality: data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures;
8. accountability: organizations should be able to demonstrate due compliance with the above-mentioned principles and rules.

In addition, organizations should take into account that there are:

• sector-specific rules governing the processing of personal data in various industries (such as in the telecom, banking, and financial or e-commerce fields);
• special rules that apply when processing certain categories of personal data (such as processing of national identifiers) or for certain purposes (such as rules that apply when monitoring electronic communications means at the workplace);
• cases set out locally in which performing a data privacy impact assessment (DPIA) is mandatory.

What are the regulations and best practices concerning the retention and deletion of personal data in Romania?

Generally, when setting out the applicable retention periods organizations should consider:

• the mandatory retention periods prescribed by the applicable local regulations (for instance, 50 years for the storage of the personnel data, five years – for KYC/AML data or for financial/accounting data, etc.);
• the applicable rules regarding statute of limitations, such as for defending the rights and interests against claims in court (typically, the general three years term for time barring claims should be considered);
• the organization’s business needs, subject to the particularities of the carried-out activity and envisaged processing purposes.

Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?Top of FormBottom of Form

The regulatory authority in Romania regarding data protection is the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) – https://www.dataprotection.ro

Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Romania

As per local law, appointing a Data Protection Officer is mandatory:

• where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale;
• where the core activities of the controller or the processor consist of processing on a large scale special categories of data or personal data relating to criminal convictions and offenses

It has been construed in practice that “regular and systematic” monitoring implies a continuous and recurrent monitoring activity. This might be the case, for instance, where:

• managing a telecommunication network;
• profiling and scoring for the purposes of risk assessment (for example, for credit, insurance premiums, fraud prevention, and money laundering);
• location tracking, for example through mobile applications (geo-location);
• closed-circuit television – CCTV;
• processing of patient data by a hospital;
• processing of content data, location data, and traffic data by Internet service providers;
• using behavioral advertising.

When determining whether the processing is carried out on a large scale, the following criteria should be considered:

• the number of data subjects – a specific number or a proportion of the relevant population;
• the volume of data and/or the range of different data items being processed;
• the duration, or permanence, of the data processing activity;
• the geographical extent of the processing activity.

Where possible (including where in doubt whether appointing a DPO is mandatory), it is advisable to nevertheless designate a data protection officer, since this would show diligence and care in complying with the relevant data protection duties.

In any case, when appointing a DPO, organizations are required to:

• publish the contact details of such on their website and/ or on any other easily accessible medium;
• communicate the contact details to the local Supervisory Authority.

How should data breaches be handled in your jurisdiction?

As a rule, personal data breaches need to be reported in the cases and within the timeframe regulated by GDPR. This means that the personal data breaches should be reported to the local Supervisory Authority where they are likely to pose risks to data subjects, within 72 hours after becoming aware of them.

By exception, personal data breaches falling under Law No. 506/2004 (personal data breaches in connection with the provisions of public electronic communication services) need to be notified in all cases, irrespective if they are likely or not to pose risks to data subjects.

When assessing the risks posed to data subjects, consideration should be given to both the likelihood and severity of the breach of the rights and freedoms of data subjects. To this end, the following criteria could be inter alia taken into account: (a) the type of breach (confidentiality, data availability and/ or data integrity); (b) the nature, sensitivity, and volume of personal data; (c) the ease of identification of individuals; (d) the severity of consequences for affected individuals; (e) the special characteristics of affected individuals; (f) the special characteristics of the controller; (g) the number of affected individuals; (h) the duration of the breach.

What are the potential penalties and fines for non-compliance with data protection regulations in Romania?

Failure to comply with the relevant data protection laws might trigger the following sanctions:

• warnings or administrative fines of up to EUR 20 million or, in case of legal enterprises, of up to 4% of the total annual worldwide turnover in the preceding financial year, whichever is the higher; and/ or
• corrective measures (such as banning, temporarily or definitively, the processing of personal data, limiting the processing, orders to fulfill certain compliance actions, including communicating a personal data breach to the affected individuals, etc.).

In certain cases, the local Supervisory Authority may decide to publish the sanction on its website, which might trigger significant reputational damages to the concerned data controller.

Are there any noticeable patterns or trends in how enforcement is carried out in Romania?

One may say that in the past most investigations were carried out by the local Supervisory Authority following received complaints. Still, a change in this paradigm may be noticed, as there is currently a trend in increasing the number of ex officio investigations.

Typically, such ex officio investigations are focused on so-called “data sensitive industries,” out of which probably the most exposed ones are financial and banking, telecom, e-commerce, and retail industry. Typically, the key areas of concern during investigations were compliance with transparency rules, use of monitoring tools (new technologies included), profiling, and marketing.

On another level, there may be a trend in the increase of the volume and amounts of the applied fine, all after a past period where the local Supervisory Authority had a fairly relaxed approach to these.

How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Romania?

All these emerging technologies pose significant data privacy challenges, particularly due to the high volumes of personal data involved and difficulties in addressing the key data protection principles (such as transparency, data accuracy, data minimization, etc.).

Besides such data privacy concerns, an equally important challenge is to accommodate and strike the proper balance between the need to protect private life and the achievement of the benefits entailed by such emerging technologies. This is more that at the EU level, one may notice a trend in regulating in fairly much detail these technologies which, besides the obvious advantage of increased predictability, might equally impact the appetite of using such new technologies or even hinder the implementation thereof.

These types of challenges are likely to bring incertitude to the way these emerging technologies dependent on the processing of personal data would evolve particularly on how the interference of such technologies with the data privacy requirements will be addressed and what are the expectations from the relevant stakeholders in terms of compliance. In this regard, the guidance issued by the data privacy authorities (both at the national and EU level) will play a crucial role.

Are there any expected changes in data protection on the horizon in the next 12 months in Romania?

For the next 12 months, no notable legislative evolutions are likely to appear at a local level. Rather, evolutions will most likely come from the EU level, particularly further to the adoption of the much-expected EU regulation on artificial intelligence (so-called “AI Regulation”) and hopefully of EU Regulation governing the protection of personal data in the electronic communication sector (so-called “E-Privacy Regulation”), which is pending adoption from few years.