Data Law Navigator | Romania
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last updated 11 April 2018
- Law No. 677 of 2001 regarding the protection of individuals with regard to processing their personal data and the free movement of such data (Data Protection Act)
- Law No. 102 of 2005 on setting up, organisation and functioning of National Supervisory Authority for Personal Data Processing (Law No. 102/2005)
- Law No. 506 of 2004 on the processing of personal data and the protection of privacy in the electronic communications sector (Law No. 506/2004).
- National Supervisory Authority for Personal Data Processing (the Authority)
Anticipated changes to law
Data Protection Act will be repealed when GDPR comes into force.
Law No. 102/2005 will be amended to adapt the Authority powers with GDPR provisions, including on the enforcement side.
If applicable: stage of legislative implementation of GDPR
GDPR will directly enter into force on 25 May 2018.
If applicable: local derogations as permitted by GDPR
None at this stage.
The Data Protection Act applies to all data processing operations performed by data controllers established in Romania concerning individuals’ personal data.
The Data Protection Act also applies if a third-country controller engages a data processor situated in Romania, or using equipment in Romania, unless the equipment is used solely for the purpose of transit through the EU. These foreign data controllers must appoint a representative in Romania.
Under Law No. 506/2004, the processing of personal data and protection of individuals’ privacy in the electronic communications sector would trigger Authority competence to investigate the processing, under the Data Protection Act.
Under the Data Protection Act, the Authority has enforcement powers, and may issue administrative fines against controllers processing personal data in a manner not compliant with the Act.
In the case of a violation of the provisions of the Data Protection Act, the Authority is entitled to:
- order the rectification of any personal data that is deemed inaccurate
- order the blocking, erasure or destruction of personal data processed unlawfully
- prohibit the unlawful handling or processing of personal data
- prohibit the cross-border transmission or disclosure of personal data
- order access to the relevant person's information, if it was refused by the data controller unlawfully
- impose a fine of between RON 500 and RON 50,000 (around EUR 111 to EUR 11,111).
In the electronic communication sector, companies with a turnover of more than RON 5m (around EUR 1.1m) may be subject to a fine of up to 2% of their turnover. Companies with a turnover that threshold may be fined up to RON 100,000 (around EUR 22,222).
Registration / Notification
Under the Data Protection Act, as a rule, the processing of personal data calls for advance notification to the Authority.
In certain cases, when certain categories of personal data are involved, a mandatory prior investigation may be performed by the Authority to check that the processing does not violate the rights and freedoms of individuals.
Main obligations and processing requirements
Under the Data Protection Act, data controllers that process individuals' personal data must introduce internal privacy policies and publish privacy notices on the processing of personal data.
Under Data Protection Act, 'personal data' means any data relating to an identified or identifiable individual. It therefore means any information relating to a natural person and any inference drawn from such information.
In line with Article 8 of EU Directive 95/46/EC, the Data Protection Act sets special categories of data (sensitive personal data), including:
- personal data revealing : racial, national or ethnic origin ; political opinions and any affiliation with political parties ; religious or philosophical beliefs ; trade union membership ;
- personal data concerning health, addictions, sex life, or criminal record.
Personal data may be processed only with the data subject’s prior, voluntary, express and informed consent, with the exception of cases when the processing is allowed by law.
Data subject rights
There is no minimum age for the collection of personal data, assuming applicable legal safeguards are implemented. The processing of personal data about minors within direct marketing activities, or data about minors collected through the internet or electronic communication means, is expressly regulated as processing that poses specific risks to the rights and freedoms of individuals and is subject to a mandatory Authority audit prior to commencing processing activities.
Data subjects have the right to:
- be informed, where such person may request confirmation as to whether or not data relating to him/her are being processed
- rectify any incorrect personal data
- delete personal data if inaccurate or processed unlawfully
- block personal data if there are reasonable grounds to believe that erasure could affect their legitimate interests
- object to the processing of their personal data
- appeal to the Authority or a court in case of the unlawful processing of their personal data.
Processing by third parties
The data controller may entrust the processing of personal data to a third party. The processing of personal data on behalf of a data controller should be performed on the basis of a relevant written agreement. The agreement must contain the elements required by the Data Protection Act, which include: terms and purposes of the data processing; confidentiality and data security obligations of the data processor; obligations of the processor to comply with the methods of protection provided by Data Protection Act).
A company that processes personal data (the technical processor) must perform its activities in accordance with the requirements of the Act, which includes ensuring the confidentiality and protection of personal data.
Transfers out of country
The transfer of data to an EU/European Economic Area member state is deemed to be the same as if the data was transferred within the territory of Romania. The same applies to transfers to third-party data importers located in non EU/EEA countries recognised by the Authority as having a similar level of protection – e.g. Switzerland, Jersey, Guernsey, Isle of Man, Canada and Argentina.
Data controllers may transfer personal data to recipients located in countries outside the European Union/the European Economic Area (i.e. data controllers or processors that process data in third countries or technical data processors that technically process data in a third country) if:
- the transfer is expressly approved by the relevant persons whose data will be transferred.
- the transfer is performed under Romanian law, and an adequate level of protection of personal data is ensured in the third country.
The Authority assesses "adequate level of protection of personal data" on a case-by-case basis. Considerations include the nature of the data to be transferred, the processing scope and the proposed duration of the processing.
The Authority’s assessment is not necessary if (i) protection is established by sector-specific legislation, or (ii) there is an international agreement between the third country and Romania containing the guarantees referred to in the Data Protection Act regarding the rights of data subjects, their rights to remedies, and the independent supervision and control of data processing operations.
Personal data can be transferred to third countries, even if the 'adequacy' conditions are not met, if the transfer is for:
- the implementation of international treaties and agreements on international legal aid
- the avoidance of double taxation.
Data Protection Officer
The appointment of internal data privacy officers is voluntary. There is no obligation on data controllers to designate an internal data privacy officer under the Data Protection Act.
Data controllers, or data processors on behalf of their controllers, are obliged to observe certain minimum security measures when processing personal data – e.g. supervised access to the personal data, identification and log-on requirements for employees within the company who process personal data.
Under secondary data protection legislation (Authority Order No. 52/2002 approving the minimum technical security measures, issued by the Romanian Ombudsman), there are some minimum security measures that must be implemented by the data controller when processing personal data.
Under Data Protection Act, there is no legal obligation to notify personal data security breaches to data subjects or to the Authority.
However, a notification obligation applies under Law No. 506/2004 if a breach occurs concerning the processing of personal data and the protection of privacy in the electronic communications sector.
- By e-mail – need to obtain consent, or offer the recipient the possibility of rejecting at any time any such unsolicited electronic mail.
- By regular (postal) mail – opt-out regime (you can freely mail consumers unless they instruct you to stop mailing them).
- By phone – opt-out regime (you can freely call consumers unless they instruct you to stop calling them).
Need to obtain consent.