The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:
- Articles 6 to 16 of the Mexican Constitution;
- The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
- The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
- The Federal Consumer Protection Law governs certain aspects concerning marketing activities.
Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.
Law n. 9887 dated 10 March 2008 “On protection of personal data”.
This law shall apply to the processing of personal data, wholly or partly by automatic means and to the processing by other means of a personal data stored in a filing system, or intended to form part of a filing system.
This law shall apply to the processing of personal data by:
- controllers established in the Republic of Albania;
- diplomatic missions or consular offices of the Albanian state;
- controllers who are not established in the Republic of Albania, making use of any equipment situated in the Republic of Albania;
In circumstances stipulated in point 3, the controller designates a representative established in the territory of Albania. Stipulations of this law applying to controllers are also applicable to their representatives. This law applies also to the public authorities that process personal data.
This law is not applicable to processing of data:
- by a natural person for purely personal or family purposes;
only in case the information is provided about public officials or public (state) administration servants, reflecting their public, administrative activities or issues related to their duties.
As an EU Member State, Romania complies with the GDPR, which is directly applicable.
In furtherance of the GDPR, Law no. 190/2018 (“Law 190”) was issued to provide measures necessary for the implementation at the national level of certain GDPR provisions, such as: processing of genetic, biometric or health concerning data, processing of a national identification number, electronic surveillance of the employees at the workplace, or the sanctions applicable to public authorities in case of a GDPR breach.
In addition, the Romanian Data Protection Authority for Personal Data Processing (“RDPA”) has issued secondary legislation, regulating mainly:
- data breach notification (RDPA Decision no. 128/2018);
- solving data privacy complaints (RDPA Decision no. 133/2018)
- data privacy investigations (RDPA Decision no. 161/2018);
- data processing operations which require mandatory data privacy impact assessments (RDPA Decision no. 174/2018).
In the telecom sector, the e-privacy Directive was transposed into Romanian law by Law no. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector (“Law 506”).
The competent authorities are subject to the Law no. 363/2018 on the protection of natural persons in relation to the processing of personal data for the purpose of the prevention, detection, investigation, prosecution and combating of criminal offences or for the execution of sanctions, educational and safety measures and the free movement of such data.