Data protection and cybersecurity laws in Romania

Data protection

1. Local data protection laws and scope

As an EU Member State, Romania complies with the GDPR, which is directly applicable.

In furtherance of the GDPR, Law no. 190/2018 (“Law 190”) was issued to provide measures necessary for the implementation at the national level of certain GDPR provisions, such as: processing of genetic, biometric or health concerning data, processing of a national identification number, electronic surveillance of the employees at the workplace, or the sanctions applicable to public authorities in case of a GDPR breach.

In addition, the Romanian Data Protection Authority for Personal Data Processing (“RDPA”) has issued secondary legislation, regulating mainly:

  • data breach notification (RDPA Decision no. 128/2018);
  • solving data privacy complaints (RDPA Decision no. 133/2018)
  • data privacy investigations (RDPA Decision no. 161/2018);
  • data processing operations which require mandatory data privacy impact assessments (RDPA Decision no. 174/2018).

In the telecom sector, the e-privacy Directive was transposed into Romanian law by Law no. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector (“Law 506”).

The competent authorities are subject to the Law no. 363/2018 on the protection of natural persons in relation to the processing of personal data for the purpose of the prevention, detection, investigation, prosecution and combating of criminal offences or for the execution of sanctions, educational and safety measures and the free movement of such data.

2. Data protection authority

Romanian National Supervisory Authority for Personal Data Processing: www.dataprotection.ro

3. Anticipated changes to local laws

There are no anticipated changes to local laws.

4. Sanctions & non-compliance

Administrative sanctions:

Breaches of the law are sanctioned in accordance with the GDPR provisions.

The RDPA has set particular penalties for specific GDPR breaches for data controllers only in the public sector (i.e. public authorities/institutions).

For public institutions/authorities, Law no. 190/2018 provides for a maximum threshold of RON 200,000 (EUR 40,000) in fines for GDPR-related breaches. 

For breaches of Law 506, RDPA may apply fines ranging between RON 5,000 – RON 100,000 (EUR 1,000 – EUR 20,000), or in the case of legal persons with a turnover of over RON 5m (EUR 1m), up to 2% of the turnover. The RDPA may apply penalty fines per day of delay, in amount of up to RON 5,000 (EUR 1,000).

Criminal sanctions:

None.

Others:

RDPA may issue warnings and recommendations, and other corrective measures in accordance with the GDPR provisions.

Compensation can be sought for any material or non-material damage caused by GDPR breaches, based on the GDPR grounds and Romanian tort liability rules.

5. Registration / notification / authorisation

Notification applies as per the GDPR (e.g. for notification of the DPO to the RDPA). Romanian law does not require a registration or authorisation for processing of personal data.

The template format of the DPO notification is provided on RDPA website.

6. Main obligations and processing requirements

The main obligations and processing requirements are aligned with the GDPR.

However, Law 190 provides additional requirements in respect of:

  • electronic monitoring of employees in the workplace;
  • processing for legitimate interest of the newly defined concept “national identification number” (e.g. personal code number, ID series and number, passport number etc.);
  • processing of genetic data, biometric data, data concerning health for automated decision-making and profiling.

RDPA Decision no. 174/2018 establishes specific data processing operations that require mandatory data privacy impact assessments.

7. Data subject rights

There are no derogations from the GDPR.

8. Processing by third parties

There are no derogations from the GDPR.

9. Transfers out of country

There are no derogations from the GDPR.

10. Data Protection Officer

There are no derogations from the GDPR.

11. Security

There are no derogations from the GDPR.

12. Breach notification

There are no derogations from the GDPR.

The template format of the data breach notification is as set out in RDPA Decision no. 128/2018 and found on the RDPA website.

13. Direct marketing

Pursuant to Law 506, the rule is that e-marketing messages require the prior express consent from the recipient (e.g. opt-in), except for email communications that meet the following conditions:

  • the recipient’s email was originally collected “on occasion of a sale”, directly from the respective person;
  • the entity sending the marketing is the same legal entity as the one that collected the recipient’s email initially;
  • the marketing concerns “similar” products and/or services to the ones for which the recipient’s email was originally obtained;
  • the recipient is given the opportunity free of charge to object to e-marketing both at the time when their email address was collected and in each subsequent communication.

14. Cookies and adtech

Same as per the GDPR and the ePrivacy Directive.

15. Risk scale

Moderate.

Cybersecurity

1. Local cybersecurity laws and scope

Law no. 362/2018 on ensuring a high common level of security of network and information systems (transposing the NIS Directive).

In addition, the following secondary legislation was issued:

  • Order no. 599/2019 approving the Methodological Norms for identifying operators of essential services and digital services providers.
  • Order no. 600/2019 approving the Methodological Norms for the operation of the Registry of operators of essential services.
  • Order no. 601/2019 approving the Methodology for determining the significant disruptive effect of security incidents in networks and information systems of the operators of essential services.
  • Government Decision no. 963/2020 for the approval of the List of essential services.
  • Government Decision no. 976/2020 on the approval of threshold values for determining the significant disruptive effect of security incidents on networks and information systems of the operators of essential services.
  • Government Decision no. 1003/2020 approving the Technical Norms for determining the impact of security incidents.
  • Government Decision no. 271/2013 approving Romania’s Cybersecurity Strategy and Action Plan for the implementation of the National Cybersecurity System.

The Government Emergency Ordinance no. 111/2011 regarding electronic communications (“GEO 111”) sets out the legal framework for providers of electronic communications networks and services.

2. Anticipated changes to local laws

There are no anticipated changes to local laws.

3. Application 

Similar to the NIS Directive, Romanian cybersecurity legislation applies to operators of essential services and digital services providers, defined as follows:

  • Operators of essential services (“OES”) – operators in a number of sectors of the economy (i.e. energy, transport, banking and financial markets, healthcare, water, digital infrastructure), which meet the following conditions: (a) provide a service that is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems and (c) an incident would have significant disruptive effects on the provision of that service.
  • Digital services providers (“DSP”) – any legal entity providing a digital service i.e. (a) online marketplace; (b) online search engine; or (c) cloud computing service.

Special rules regarding the security requirements and incident reporting are provided in relation to providers of electronic communications networks and services, as set forth in GEO 111.

4. Authority

CERT – RO (the Romanian National Cybersecurity Incident): https://cert.ro/

The Computer Security Incident Response Team (“CSIRT-RO”) is the department that operates within CERT-RO.

For the telecom sector:

ANCOM (The National Authority for Management and Regulation in Communications): https://www.ancom.ro/

5. Key obligations 

Under the cybersecurity legislation, the main obligations for OESs and DSPs are in line with NIS Directive, namely:

  • conduct a self-assessment to determine whether the company is an OES or DSP, following the steps provided by the local law;
  • register with CERT-RO in the Registry for OESs or DSPs;
  • implement appropriate technical and organisational measures to meet minimum security requirements;
  • implement measures to prevent and minimise the impact of cybersecurity incidents;
  • perform an audit report proving compliance with the legal security requirements;
  • notify CERT-RO of any cybersecurity incidents with significant impact on the continuity of the provided services; and
  • provide CERT-RO with documentation, or any information required under the law or deemed necessary by CERT-RO.

In the telecom sector, providers of electronic communications networks and services have the following main obligations related to cybersecurity:

  • manage the risks that may affect the security of the networks and services;
  • ensure the integrity of the networks and the continuity of the services through these networks;
  • prevent or minimise the impact of security incidents on users and interconnected networks;
  • telecom providers shall notify ANCOM, as soon as possible, of any breach of security or loss of integrity that has a significant impact on the provision of electronic communications networks and services.

6. Sanctions & non-compliance 

Administrative sanctions:

Breaches of Romanian cybersecurity legislation are sanctioned by a fine ranging from RON 3,000 to RON 50,000 (EUR 600 to 10,000) or up to RON 100,000 (EUR 20,000) for repeated breaches.

For companies with a turnover exceeding RON 2m, the fine ranges from 0.5% to 2% of turnover, or even up to 5% of the turnover in case of repeated breaches.

For newly set up entities (without a reference turnover in the last approved/published financial statements) the fine ranges from one to 25 times the minimum wage.

Sanctions apply, inter alia, for:

  • failure to notify oneself for the purposes of registration in the Registry of operators of essential services;
  • failure to respond to requests for information from CERT-RO;
  • failure to implement measures imposed by CERT-RO to remedy deficiencies in cybersecurity;
  • failure to implement measures for ensuring minimal security requirements;
  • failure to implement adequate measures to prevent and mitigate the impact of cybersecurity incidents;
  • failure to notify cybersecurity incidents or delayed notification;
  • refusal to submit to a CERT-RO audit.

Before applying sanctions, the authorities will first serve a notice to the OES/DSP that will convey: the alleged breaches, what remedies should be taken within the related deadline and the applicable sanction.

Breaches of telecom legislation (i.e. non-compliance with security requirements and incident reporting) are sanctioned by fines ranging from RON 5,000 to RON 60,000 (EUR 1,000 to EUR 12,000) or up to RON 100,000 (EUR 20,000) for repeated breaches.

For companies with a turnover exceeding RON 3m, by a fine amounting to 5% of the turnover, or even up to 10% of the turnover in case of repeated breaches.

Criminal sanctions:

Breaches of cybersecurity law do not trigger criminal liability (e.g. liability of OES/DSP).

Criminal sanctions are only applied to cybercrimes, for instance:

  • Hacking (i.e. illegal access to a computer system);
  • Disruption of computer systems;
  • Computer fraud (e.g. deleting computer data);
  • Unauthorised transfer of computer data.

The above criminal offences are punished by around one to seven years’ imprisonment for natural persons, a sanction that is commuted to an equivalent fine for legal persons.  

Others:

Compensation can be sought for any material or non-material damage caused by violations of cyberlaw under the Romanian tort liability rules.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes, CSIRT-RO mentioned above.

8. National cybersecurity incident management structure

Same as above.

9. Other cybersecurity initiatives 

eCSI – an initiative by CERT-RO to enhance national cybersecurity services and capabilities (co-financed by the EU under the Connecting Europe Facility). The Project objectives are:

  • creating a National Cyber Services Platform at the level of CERT-RO to enhance its technical capabilities in the management of cybersecurity incidents;
  • creating a National Cybersecurity Call Centre for processing cybersecurity incidents/notifications;
  • creating Digital Forensic and Malware Analysis Lab  
Portrait of Cristina Popescu
Cristina Popescu
Senior Counsel and Head of CEE Insurance Practice Group
Bucharest
Portrait of Alexandra Voinia
Alexandra Voinia
Associate
Bucharest