The GDPR governs personal data protection when the processing is carried out by controllers and processors operating establishment(s) in the EU and/or when the processing concerns data of individuals in the European Union, irrespective of the place of establishment of the entity doing the processing. The GDPR is directly and fully applicable in Romania, so in this summary we focus on the Romanian legal framework, without comprehensively recounting the GDPR provisions.

As per Chapter IX of the GDPR, each EU Member State can implement national legislation to complement or specify GDPR provisions, allowing for national rules to safeguard certain public interests, while ensuring these laws do not undermine the GDPR’s core protections and principles. Romania adopted in this respect Law 190/2018 on GDPR implementation measures (“Law 190/2018”), providing for special rules regarding the following areas:

• Processing of genetic, biometric or health data for automated decision-making or profiling (see below, Question 6).
• Processing of a national identification number (see below, Question 6).
• Processing of personal data in the context of work relations is subject to strict conditions, in the vein of Article 29 Working Party, Opinion 2/2017 on data processing at work, WP249. The processing of employees’ personal data, via monitoring by means of electronic communications and/or video surveillance at the workplace, in order to achieve the employer’s legitimate interests, is allowed only if: a) the employer’s legitimate interests are justified and override the data subjects’ interests, rights or freedoms; b) mandatory, comprehensive and explicit prior notice is given by the employer; c) the employer consulted the union or, as applicable, the employees’ representatives before deploying the monitoring; d) other less intrusive forms and methods for achieving the goal pursued by the employer have proved ineffective; and e) the storage time of personal data is proportional with the purpose of the processing, but no longer than 30 days, except for situations expressly regulated by law or justified cases.
• Personal data processing for journalistic purposes or for academic, artistic or literary expression is exempted from Chapters II–IX of the GDPR.
• Personal data processing for scientific or historical research or statistical purposes is exempted from the rights in Articles 15, 16, 18 and 21 of the GDPR, while processing for archiving purposes in the public interest is exempted from the rights in Articles 15, 16, 18, 19, 20 and 21 of the GDPR.
• Applying corrective measures to public authorities (see below, Question 13).

Law 102/2005, on the establishment, organization and functioning of ANSPDCP (“Law 102/2005”) was amended to ensure compliance with the GDPR. It provides for a three-year statute of limitations for the misdemeanours consisting of breaches of the personal data protection regime, with a maximum of four years if the investigation is opened within the three-year time windows, but it does not get finalised.

ANSPDCP adopts decisions and guidelines mandatory in Romania. These apply in addition to the secondary regulation produced by the European Data Protection Board, the latter for the entire EU. ANSPDCP decisions cover the standardised forms for personal data security breach notifications, both for the e-privacy and regular privacy regimes; complaints; investigative procedure; the list of processing operations requiring data protection impact assessment; and accreditation of bodies competent in certifications and codes of conduct.

Law 506/2004, on the processing of personal data and the protection of private life in the electronic communications sector, as amended (“Law 506/2004”), implements Directive 2002/58/EC (the ePrivacy Directive). This Romanian law establishes specific rules for data protection and privacy in the context of electronic communications and it complements the GDPR. 

The law mainly regulates the following:

• The public electronic communications services providers must take — if necessary, together with the public electronic communications network providers — appropriate technical and organisational measures for the security of data processing. They must inform subscribers about risks of security breaches, including possible consequences and remedies, and, if an actual data breach occurs, they must notify ANSPDCP and inform data subjects. 
• Communications content is confidential and cannot be intercepted or monitored without explicit consent, except as defined by law. Exceptions include monitoring by the users participating in the respective communication; by the competent authorities, according to the law; or for technical storage, necessary for transmitting the communication, under the condition of confidentiality. 
• Websites and electronic communication services must inform users about the use of cookies and similar technologies. Explicit and informed consent must be obtained before placing and retrieving cookies on users’ devices unless the cookies are strictly necessary for the provision of a service explicitly requested by the user or exclusively serve the purpose of carrying out the communication transmission.
• Traffic Data must be deleted or anonymised when no longer necessary for transmitting communications, and no later than three years after the communication, except when needed for billing or payment obligations. Traffic Data can be processed for marketing or value-added services only with the explicit and informed prior consent of the user or subscriber. Location Data may be processed only if anonymised; or for value-added services with the explicit and informed prior consent of the user or subscriber, that can be withdrawn at any time; or for one-way and un-differentiated information transmission.
• Providers must inform the public about the available features to hide or reject callers and connected line identities. 
• Subscribers have the right to be included in registers of public subscribers in accordance with the legislation on personal data protection. Providers of subscriber registers must inform subscribers about the purpose and potential uses of their data before inclusion and subscribers have a 45 working days timeline to opt out from being recorded in these registers. These provisions apply not only to individuals, as personal data subjects, but also to subscribers that are legal entities.
• Unsolicited communications — see below, Question 10.
• Enforcement is entrusted to ANSPDCP and sanctions consist of administrative fines up to 4% of the annual turnover of the undertaking.

In Romania, as in the EU, the general personal data protection framework applies to all actors that have a role in the processing of personal data — controllers (deciding why and how personal data is processed); processors (processing personal data on behalf and under the instructions of the controller), etc. 

As regards the e-privacy framework, Law 506/2004 applies to all providers of electronic communications services in Romania: public electronic communications networks; public electronic communications services; and providers of information society services when they process personal data in connection with electronic communications. General provisions, such as those regulating unsolicited commercial communications or communications confidentiality, apply to any entity, without a special profile being required to be bound by the respective obligations.

The beneficiaries are in general living individuals, with the exception of e-privacy rules on subscriber registers and unsolicited communications, which also benefit legal entities.

The GDPR defines its territorial scope and it does not include particularities for Romania.

The applicability of the Romanian legal texts implementing the GDPR (Law 190/2018, Law 102/2005, ANSPDCP’s decisions) is limited to the national territory.

Law 506/2004 also has national territorial scope, but it does provide for high alignment across various EU Member States implementing the same ePrivacy Directive (2002/58/EC).

The GDPR and related national legislation cover any type of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Law 506/2004 provides for special rules for certain types of activities concerning communications data and metadata, e.g., hiding ID of callers or connecting lines, inclusion in subscriber registers, use for electronic communication, etc. See above, Question 1 for such specific examples.

The Romanian legislation protects personal data, comprising any information about an identified or identifiable natural person, which means one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data protection covers pseudonymised data (data about an individual that can only be attributed to a specific data subject with the use of additional information, kept separately and secured via technical and organisational measures), but not anonymised data (data whose subject is no longer identifiable). 

Deceased individuals’ data also benefit from protection according to the general Civil Code, but this falls out of this analysis scope as, stricto sensu, personal data protection refers only to living human beings.

As per the GDPR itself, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited, unless certain legal grounds can be invoked (explicit consent, labour agreement execution and fulfilment, vital interests, manifest disclosure of data by the owner, legal claims or substantial public interests, including public health, etc.).

Processing of personal data relating to criminal convictions and offences or related security measures can be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. 

Consent for processing data of children below the age of 16 years in the context of information society services must be given or authorised by the holder of parental responsibility over the child.

Since all these are not specific to the Romanian legislation, but addressed in the EU legislation, we are not going into further details here.

Law 190/2018, for implementing the GDPR, provides for additional layers of protection as regards two categories of data:

• The processing of genetic, biometric or health data, in order to carry out an automated decision-making process or to create profiles, is allowed with the explicit consent of the person concerned or if the processing is based on express legal provisions.
• The processing of a national identification number, including by collecting or disclosing documents bearing it, can be carried out based on any of the six legal grounds outlined in Question 7, below, but, when based on legitimate interest of the controller or a third party, the following requirements are added: appointing a data protection officer; taking additional measures to ensure data security and confidentiality and compliance with the principle of data minimisation; setting clear retention timelines; and ensuring regular training for the employees or processors handling such data.

Law 506/2004, on e-privacy, has special provisions for the use of cookies and similar technologies, traffic and location data, calling and connecting line ID, subscriber registers, as well as contact data used in the context of unsolicited commercial communication — see above, Question 1. 

Personal data processing can be grounded on:

• Consent:
  • Consent must be informed, freely given, specific and unambiguous. It should be as easy to withdraw consent as to give it and the processing prior to the withdrawal remains valid. The Romanian legal framework does not provide differently than the EU legislation and practice in this respect, notably the EDPB’s Guidelines 05/2020 on consent under Regulation 2016/679.
  • Consent must be explicit for processing special categories of data, and there are certain data types or processing types that require consent as legal basis — processing of genetic, biometric or health data, absent express legal provisions; making decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect the data subject; placing and retrieving cookies and similar identifiers; etc.
• Necessity for entering into and/or performing a contract.
• Vital interest of an individual.
• Legal obligation of the controller:
  • in a change of paradigm compared to Directive 95/46/EC, such obligation must be regulated by the EU or EU Member State law.
• Public interest regulated by the EU or EU Member State legislation.
• Legitimate interest of the controller or of a third party that would need to be balanced against the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

For special categories of data, these grounds apply selectively and are more narrowly defined — see above, Question 6, for examples.

The grounds of processing represent the practical applicability of the legality as a core principle of personal data processing and, in principle, any processing should have a legal ground, with the exception of processing for journalistic purposes or for academic, artistic or literary expression — see above, Question 1, for comments about Law 190/2018. 

Each new processing, even if it refers to the same set of data, requires in principle identifying and justifying a legal ground.

Personal data controllers are required to process personal data lawfully (that is, making sure there is a valid legal ground for it — see above, Questions 6 and 7), fairly and transparently (that is, by informing the data subjects about who, why, where and for how long their data is processed, as well as what rights the data subjects have regarding their data). The law provides for exceptions, mainly for cases where the data subjects already have the information or where providing information is impossible, entails disproportionate efforts or is likely to render impossible or seriously impair the achievement of the objectives of that processing. Personal data should be limited to what is necessary for the purpose of processing and kept in a form that permits data subjects’ identification only as long as it is necessary for the purposes of processing. Controllers must facilitate data subjects exercising their rights under the GDPR — see below, Question 9 — and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. All data breaches must be documented, while those likely to result in a risk for data subjects must be notified within 72 hours to ANSPDCP, using a mandatory online form. If the breach is likely to result in high risk to the rights and freedoms of natural persons, the data subject must be informed without undue delay. 

Controllers are responsible for demonstrating compliance with all principles relating to processing of personal data. This includes maintaining detailed records of processing activities, conducting data protection impact assessments where necessary (the Romanian authority issued a decision with examples of such situations — see above, Question 1), implementing data protection by design and by default, and appointing a data protection officer (in addition to the cases provided for in the GDPR, the Romanian legislation mandates the appointment of a Data Protection Officer (DPO) by controllers processing national identification numbers based on legitimate interests — see above, Question 6). Controllers must ensure that any transfer of personal data to a third country or international organisation outside the EU/EEA complies with the GDPR’s requirements for international data transfers (see below, Question 11). Finally, when controllers entrust data processing to processors, they are responsible for properly assessing and instructing them, for auditing how they comply with such instructions, as well as for setting the terms and conditions within a data processing agreement (Article 28 GDPR).

Personal data processors have fewer responsibilities, as long as they remain within the boundaries of the controller’s instructions. However, they should inform the controller if they deem an instruction to be infringing the personal data protection framework. Processors also have their own obligations to implement appropriate technical and organisational measures to ensure the security of the processed personal data; to obtain prior written consent from the controller before engaging any sub-processors; to maintain records of processing activities carried out on behalf of the controller and notify the controller without undue delay after becoming aware of a personal data breach. They also have their own obligations to ensure that transfer of personal data outside the EU/EEA complies with the GDPR’s requirements (see below, Question 11).

The GDPR stipulates that data subjects have the right to be informed about the processing of their personal data (for exceptions, see above, Question 8); to request access to their personal data held by controllers, including details on how and why it is processed; to request corrections of inaccurate or incomplete personal data; to request erasure of their personal data when it is no longer needed for the purpose it was collected, or if they withdraw consent or object to processing (exceptions to this right include the cases where processing is mandated by the law or it is necessary for legal claims, etc.); to ask controllers to limit the processing of their data under certain conditions, such as when they contest its accuracy; to obtain their personal data in a structured, commonly used format and transfer it to another controller; to object to processing based on legitimate interests or direct marketing; and not to be subject to automated decisions that significantly affect them — unless this is imposed by law, contract, explicitly consented to and additional safeguards are in place, such as requesting human intervention; to be informed of data breaches resulting in high risks for their rights, freedoms and interests; to file complaints with the data protection authority or the competent courts (in which case the claim is court fee-exempt, as per the Romanian Law 102/2005), as well as to be represented for such claims; to withdraw their consent regarding processing of data just as easily as consent was given.

The GDPR outlines in Article 23 a list of cases where exceptions to these rights apply (for example, for reasons of national security, defence or public security; to prevent, investigate or prosecute criminal offences; for judicial proceedings or regulatory compliance), under conditions of proportionality, necessity and ensuring legal safeguards for data subjects’ rights.

The Romanian legislation also provides for exceptions for journalistic purposes or for academic, artistic or literary expression, for scientific or historical research purposes or statistical purposes, as well as when processing for archiving purposes (see above, Question 1). 

Law 506/2004 on e-privacy regulates that automated commercial communications via systems that don’t require human intervention, including fax, email, or other electronic communication services, are prohibited unless the recipient has provided explicit prior consent. The notable exception is the case of a business collecting an email address during a sale, that it may use for commercial messages about similar products, provided it offers a clear and free opt-out option both at the time of collection and with each message. Commercial emails must not hide the sender’s identity or omit a valid contact address for opt-out requests. It must be noted that these provisions apply not only to individuals that are personal data subjects, but also to legal entities — companies, institutions, etc.

Special provisions about direct marketing communications are also provided for in the GDPR — a special right to objection to processing appears in Article 21, which has an absolute nature — it does not bear exceptions and it must be specified separately in privacy notices. 

The Romanian rules for transfer of personal data overlap those of the EU/EEA; that is, the GDPR-set regime. The GDPR imposes, on both controllers and processors, strict conditions for the international transfer of personal data to ensure that the GDPR level of protection is not undermined. 

Transfers are allowed as follows:

• Under the regime of an “adequacy decision” whereby the European Commission evaluates whether a third country’s data protection laws align with GDPR standards. Notably, the framework for EU–US transfers was subject to important debates and case-law, but currently the US organisations enrolled in the Privacy Framework can receive personal data transferred from the EU.
• If there is no adequacy decision, data transfers can still occur if the data controller or processor provides appropriate safeguards, such as Standard Contractual Clauses (pre-approved contractual terms to apply between parties that ensure data protection standards are upheld), Binding Corporate Rules (internal policies adopted by multinational companies to ensure consistent data protection practices across all subsidiaries), Codes of conduct or Certification mechanisms.
• Transfers are also permitted under certain specific conditions, including: explicit consent, contract performance, legal claims, important reasons of public interest, to protect the vital interests of a person, or in the case of isolated and limited transfer.
• The Romanian legislation provides for an exception from these strict rules when processing is done for journalistic purposes or for academic, artistic or literary expression.

ANSPDCP has the powers and competencies provided for in the GDPR for the data protection authorities. Law 102/2005 was amended in 2018 to include details about its powers in Romania under the GDPR.

ANSPDCP conducts investigations, through scheduled and surprise inspections, requests for information, access to documents and data storage equipment. If their access is obstructed, they can seek judicial authorisation from the Bucharest Court of Appeal. ANSPDCP can impose corrective measures, including administrative fines and recommendations, and can conduct joint operations with other EU data protection authorities if required. ANSPDCP must assess any complaint it receives within 45 days to decide on its admissibility and then it must update the complainant on the investigation’s progress and results within set timeframes.

ANSPDCP’s decisions can be contested in Romanian administrative courts. Persons affected by data processing violations can also seek redress through the courts. Legal actions, including appeals and claims for damages, are exempt from court fees.

Violations of specific GDPR provisions are classified as misdemeanours in Romanian law. The primary sanctions include warnings and fines as per Article 83 of the GDPR. ANSPDCP is responsible for investigating misdemeanours, applying fines, and implementing corrective measures such as limiting data processing or ordering data deletion. Appeals against sanctions can be made to Romanian courts.

Law 190/2018 addresses the application of corrective measures for public authorities — first, ANSPDCP drafts a report documenting the misdemeanour, applies a warning and issues a remediation plan. ANSPDCP may conduct a follow-up inspection within 10 days after the remediation deadline to verify compliance. Fines may be imposed only if the remediation measures are not fully implemented and, by exception from the GDPR, the fines for public authorities are capped at RON 200,000 (approximately EUR 40,000). The regime set for the public authorities was highly criticised for reasons of discrimination compared to the legal risks faced by the private sector.